VPN L2TP

Thanks for the link! I suspected I was trying the wrong beta when I saw references to FreeBSD 10.2.

Now I have reinstalled with t1n1wall 1.8.2b65.
With this version I am able to login the VPN client and I can connect to resources on the local network. But I can not access the t1n1wall web interface. This t1n1wall beta behaves exactly the same way as smallwall does IMO.

Are there some otions I need to tweek?

Yes, I have a default rule for L2TP that allows everything to L2TP VPN clients.
I can't ping the firewall LAN address and I can't connect to its web interface either.

I can however connect to other resources (machines) on the LAN.
I see no difference in how t1n1wall and smallwall behaves when it comes to L2TP/Ipsec.

Here's the routing table info when a VPN client is connected (IPv6 excluded):
Internet:
Destination Gateway Flags Refs Use Netif Expire
default 62.77.131.1 UGS 0 658 nfe1
62.77.131.0/24 link#2 U 2 828 nfe1
62.77.131.253 link#2 UHS 0 0 lo0
127.0.0.1 link#4 UH 0 56 lo0
192.168.131.0/24 link#1 U 2 1162 nfe0
192.168.131.223 link#5 UHS 0 0 lo0
192.168.131.224 link#5 UH 0 0 l2tp1
192.168.131.254 link#1 UHS 0 0 lo0

I've tried these options in L2TP rules. None of them works.

Thanks Lee. I will do that.
Since this is a test system, I can even give you full access to the machine.

Thanks Andy! And I have been watching your work on 1.10 over at t1n1wall, and it is looking very good!

Hi again,
I have now tried the above t1n1wall image with no success. I still have exactly the same problem. I can access resources on the LAN but I can not access the t1n1wall web interface while connected via L2TP/IPSEC VPN.

Please tell me what to do next.

TIA,
Mikael

Hi,
Sorry for the long delay. I lost my old test machine. Now I have a new one with virtualization. This makes tests easier.

I have installed two VMs. One with the latest smallwall beta (1.8.4b10) and one with the latest t1n1wall beta (1.8.2b78) in order to get to the bottom of theese L2TP/IPsec problems.

I have set up both VMs identically, and so they behave identically.

Unfortunately all the old problems are still present:
VPN users can connect ok. Local resources on the LAN are accessable to VPN users. But NO resourses on the smallwall/t1n1wall LAN interface itself is accessable to VPN users.

This seems to be exactly the same problem that I have decribed before (above).

Andy asked me for firewall rules in /status.php. Here they are for t1n1wall (1.8.2b78):

unparsed ipnat rules
map em1 10.0.29.0/24  -> 0/32 proxy port 21 ftp/tcp
map em1 10.0.29.0/24  -> 0/32 portmap tcp/udp 1024:64535
map em1 10.0.29.0/24  -> 0/32
map em1 from 62.77.131.198/32 to any port = 53 -> 0.0.0.0/32 tcp/udp

unparsed ipfilter rules
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on em0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on em0 proto udp from any port = 68 to 10.0.29.11 port = 67
pass out quick on em0 proto udp from 10.0.29.11 port = 67 to any port = 68

# WAN spoof check
block in log quick on em1 from 10.0.29.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on em1 proto udp from any port = 68 to any port = 67
block in log quick on em1 proto udp from any port = 67 to 10.0.29.0/24 port = 68
pass in quick on em1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on em0 from ! 10.0.29.0/24 to any

# block anything from private networks on WAN interface
block in log quick on em1 from 10.0.0.0/8 to any
block in log quick on em1 from 127.0.0.0/8 to any
block in log quick on em1 from 172.16.0.0/12 to any
block in log quick on em1 from 192.168.0.0/16 to any

# Pass IKE packets
pass in quick on em1 proto udp from any to 62.77.131.198 port = 500 keep frags
pass out quick on em1 proto udp from 62.77.131.198 port = 500 to any keep frags

# Pass NAT-T encapsulated ESP packets
pass in quick on em1 proto udp from any to 62.77.131.198 port = 4500 keep frags
pass out quick on em1 proto udp from 62.77.131.198 port = 4500 to any keep frags

# Pass ESP packets
pass in quick on em1 proto esp from any to 62.77.131.198 keep frags
pass out quick on em1 proto esp from 62.77.131.198 to any keep frags

# Pass AH packets
pass in quick on em1 proto ah from any to 62.77.131.198 keep frags
pass out quick on em1 proto ah from 62.77.131.198 to any keep frags

# Pass IKE packets
pass in quick on em0 proto udp from any to 10.0.29.11 port = 500 keep frags
pass out quick on em0 proto udp from 10.0.29.11 port = 500 to any keep frags

# Pass NAT-T encapsulated ESP packets
pass in quick on em0 proto udp from any to 10.0.29.11 port = 4500 keep frags
pass out quick on em0 proto udp from 10.0.29.11 port = 4500 to any keep frags

# Pass ESP packets
pass in quick on em0 proto esp from any to 10.0.29.11 keep frags
pass out quick on em0 proto esp from 10.0.29.11 to any keep frags

# Pass AH packets
pass in quick on em0 proto ah from any to 10.0.29.11 keep frags
pass out quick on em0 proto ah from 10.0.29.11 to any keep frags

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on em0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on em1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em1 all keep state

# always pass outgoing IPsec encapsulated packets
pass out quick on enc0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 10.0.29.0/24 to 10.0.29.11 keep state group 100

# User-defined rules follow
pass in quick proto tcp from 62.77.131.200 to 62.77.131.198 port = 80 keep state group 200
pass in quick from 10.0.29.0/24 to any keep state group 100
pass in quick on l2tp0 from any to any keep state
pass in quick on l2tp1 from any to any keep state
pass in quick on l2tp2 from any to any keep state
pass in quick on l2tp3 from any to any keep state
pass in quick on l2tp4 from any to any keep state
pass in quick on l2tp5 from any to any keep state
pass in quick on l2tp6 from any to any keep state
pass in quick on l2tp7 from any to any keep state
pass in quick on l2tp8 from any to any keep state
pass in quick on l2tp9 from any to any keep state
pass in quick on l2tp10 from any to any keep state
pass in quick on l2tp11 from any to any keep state
pass in quick on l2tp12 from any to any keep state
pass in quick on l2tp13 from any to any keep state
pass in quick on l2tp14 from any to any keep state
pass in quick on l2tp15 from any to any keep state

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules
add 50000 set 4 pass all from 10.0.29.11 to any
add 50001 set 4 pass all from any to 10.0.29.11


And here's the same info for smallwall (1.8.4b10):

unparsed ipnat rules
map em1 10.0.29.0/24  -> 0/32 proxy port 21 ftp/tcp
map em1 10.0.29.0/24  -> 0/32 portmap tcp/udp 1024:64535
map em1 10.0.29.0/24  -> 0/32
map em1 from 62.77.131.197/32 to any port = 53 -> 0.0.0.0/32 tcp/udp

unparsed ipfilter rules
# loopback
pass in quick on lo0 all
pass out quick on lo0 all
# block short packets
block in log quick all with short

# block IP options
block in log quick all with ipopts

# allow access to DHCP server on LAN
pass in quick on em0 proto udp from any port = 68 to 255.255.255.255 port = 67
pass in quick on em0 proto udp from any port = 68 to 10.0.29.10 port = 67
pass out quick on em0 proto udp from 10.0.29.10 port = 67 to any port = 68

# WAN spoof check
block in log quick on em1 from 10.0.29.0/24 to any

# allow our DHCP client out to the WAN
# XXX - should be more restrictive
# (not possible at the moment - need 'me' like in ipfw)
pass out quick on em1 proto udp from any port = 68 to any port = 67
block in log quick on em1 proto udp from any port = 67 to 10.0.29.0/24 port = 68
pass in quick on em1 proto udp from any port = 67 to any port = 68

# LAN/OPT spoof check (needs to be after DHCP because of broadcast addresses)
block in log quick on em0 from ! 10.0.29.0/24 to any

# block anything from private networks on WAN interface
block in log quick on em1 from 10.0.0.0/8 to any
block in log quick on em1 from 127.0.0.0/8 to any
block in log quick on em1 from 172.16.0.0/12 to any
block in log quick on em1 from 192.168.0.0/16 to any

# Pass IKE packets
pass in quick on em1 proto udp from any to 62.77.131.197 port = 500 keep frags
pass out quick on em1 proto udp from 62.77.131.197 port = 500 to any keep frags

# Pass NAT-T encapsulated ESP packets
pass in quick on em1 proto udp from any to 62.77.131.197 port = 4500 keep frags
pass out quick on em1 proto udp from 62.77.131.197 port = 4500 to any keep frags

# Pass ESP packets
pass in quick on em1 proto esp from any to 62.77.131.197 keep frags
pass out quick on em1 proto esp from 62.77.131.197 to any keep frags

# Pass AH packets
pass in quick on em1 proto ah from any to 62.77.131.197 keep frags
pass out quick on em1 proto ah from 62.77.131.197 to any keep frags

# Pass IKE packets
pass in quick on em0 proto udp from any to 10.0.29.10 port = 500 keep frags
pass out quick on em0 proto udp from 10.0.29.10 port = 500 to any keep frags

# Pass NAT-T encapsulated ESP packets
pass in quick on em0 proto udp from any to 10.0.29.10 port = 4500 keep frags
pass out quick on em0 proto udp from 10.0.29.10 port = 4500 to any keep frags

# Pass ESP packets
pass in quick on em0 proto esp from any to 10.0.29.10 keep frags
pass out quick on em0 proto esp from 10.0.29.10 to any keep frags

# Pass AH packets
pass in quick on em0 proto ah from any to 10.0.29.10 keep frags
pass out quick on em0 proto ah from 10.0.29.10 to any keep frags

# Block TCP packets that do not mark the start of a connection
skip 1 in proto tcp all flags S/SAFR
block in log quick proto tcp all

#---------------------------------------------------------------------------
# group head 100 - LAN interface
#---------------------------------------------------------------------------
block in log quick on em0 all head 100

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em0 all keep state

#---------------------------------------------------------------------------
# group head 200 - WAN interface
#---------------------------------------------------------------------------
block in log quick on em1 all head 200

# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em1 all keep state

# always pass outgoing IPsec encapsulated packets
pass out quick on enc0 all keep state

# make sure the user cannot lock himself out of the webGUI
pass in quick from 10.0.29.0/24 to 10.0.29.10 keep state group 100

# User-defined rules follow
pass in quick proto tcp from 62.77.131.200 to 62.77.131.197 port = 80 keep state group 200
pass in quick from 10.0.29.0/24 to any keep state group 100
pass in quick on l2tp0 from any to any keep state
pass in quick on l2tp1 from any to any keep state
pass in quick on l2tp2 from any to any keep state
pass in quick on l2tp3 from any to any keep state
pass in quick on l2tp4 from any to any keep state
pass in quick on l2tp5 from any to any keep state
pass in quick on l2tp6 from any to any keep state
pass in quick on l2tp7 from any to any keep state
pass in quick on l2tp8 from any to any keep state
pass in quick on l2tp9 from any to any keep state
pass in quick on l2tp10 from any to any keep state
pass in quick on l2tp11 from any to any keep state
pass in quick on l2tp12 from any to any keep state
pass in quick on l2tp13 from any to any keep state
pass in quick on l2tp14 from any to any keep state
pass in quick on l2tp15 from any to any keep state

#---------------------------------------------------------------------------
# default rules (just to be sure)
#---------------------------------------------------------------------------
block in log quick all
block out log quick all

unparsed ipfw rules
add 50000 set 4 pass all from 10.0.29.10 to any
add 50001 set 4 pass all from any to 10.0.29.10


I'm happy to test whatever you think is neccessary, and I can easily install new versions of smallwall/t1n1wall on this server thanks to virtualization.

Thanks,
Mikael