Hello forum.
This is a bit of a long shot and I don't have much useful diagnostic information to provide, but I'm otherwise running out of ideas.
At home, I have replaced my ISP-supplied VDSL router with a bridging modem and a FreeBSD host running pf(4). I have a very simple ruleset which NATs my home LAN private range behind the public IP address on the WAN interface (My two interfaces igb0 and igb1 have been renamed to lan and wan respectively):
This works absolutely fine for all "normal" traffic from my various LAN hosts.
To enable me to work from home regularly, my work IT department have provided me with a VOIP phone, an Avaya 9611G. This phone has built-in IPsec and many colleagues use them from home without difficulties. It's supposed to establish a tunnel to the company IPsec gateways, get an IP address on the corporate network, and telephony services then just work.
Not so for me though. The phone's IPsec tunnel starts up and I can see the packets passing through the FreeBSD gateway. I see the initial ISAKMP packets passing back and forth on UDP port 500, then it negotiates NAT-Traversal with the peer and everything else is then encapsulated inside UDP on port 4500.
The problem is, when the phone tries to talk to the telephony servers on the corporate network through the tunnel, it fails and starts throwing "No signalling" errors. Seconds later, the IPsec tunnel drops and I have to manually start it up again.
Initially pf was translating the source port of the phone's IPsec packets so they were no longer from port 500 or 4500. I added a couple of extra translation rules to pf to avoid this:
This didn't help.
The IT guys at work aren't being much help in figuring this out. They can see my home phone registering with the call server, but then their logs show some kind of communication being blocked. They told me to set my firewall to permit TCP port 1720 (Q.931 call setup) and UDP port 1719 (Gatekeeper Discovery RAS), but as this is encapsulated inside the IPsec tunnel when it passes through pf, I don't see how it can help. pflog doesn't show any such packets being blocked.
One of the IT guys swapped out my phone with one that he had been successfully using from home the previous day, but the same problem occurred. They have concluded that something is wrong with my home networking setup and have gone silent on my support ticket.
I'm wondering if there's something unusual in what pf is doing with the IPsec packets that might be causing the telephony communication to fail. From all appearances, pf appears to be NATing the IPsec UDP packets just fine and keeping state for the replies. pf maintains UDP state for 2 minutes, but the IPsec peers are sending eachother keepalives every 20 seconds so the state never expires. I can't examine the traffic inside the tunnel, so it's very difficult to diagnose.
I've also tried toggling traffic normalisation in pf in case fragment reassembly was screwing something up. No change.
I'm hoping someone else may have some experience with using IPsec through pf+NAT and may have some insights. To clarify, the FreeBSD host itself isn't doing IPsec.
Can anyone help?
J
This is a bit of a long shot and I don't have much useful diagnostic information to provide, but I'm otherwise running out of ideas.
At home, I have replaced my ISP-supplied VDSL router with a bridging modem and a FreeBSD host running pf(4). I have a very simple ruleset which NATs my home LAN private range behind the public IP address on the WAN interface (My two interfaces igb0 and igb1 have been renamed to lan and wan respectively):
Code:
set skip on { lo0, lan }
nat on wan from ! (wan) to any -> (wan) round-robin
block drop log all
pass out quick on wan all flags S/SA keep stateTo enable me to work from home regularly, my work IT department have provided me with a VOIP phone, an Avaya 9611G. This phone has built-in IPsec and many colleagues use them from home without difficulties. It's supposed to establish a tunnel to the company IPsec gateways, get an IP address on the corporate network, and telephony services then just work.
Not so for me though. The phone's IPsec tunnel starts up and I can see the packets passing through the FreeBSD gateway. I see the initial ISAKMP packets passing back and forth on UDP port 500, then it negotiates NAT-Traversal with the peer and everything else is then encapsulated inside UDP on port 4500.
The problem is, when the phone tries to talk to the telephony servers on the corporate network through the tunnel, it fails and starts throwing "No signalling" errors. Seconds later, the IPsec tunnel drops and I have to manually start it up again.
Initially pf was translating the source port of the phone's IPsec packets so they were no longer from port 500 or 4500. I added a couple of extra translation rules to pf to avoid this:
Code:
nat on wan inet proto udp from ! (wan) port 500 to any -> (wan) port 500
nat on wan inet proto udp from ! (wan) port 4500 to any -> (wan) port 4500This didn't help.
The IT guys at work aren't being much help in figuring this out. They can see my home phone registering with the call server, but then their logs show some kind of communication being blocked. They told me to set my firewall to permit TCP port 1720 (Q.931 call setup) and UDP port 1719 (Gatekeeper Discovery RAS), but as this is encapsulated inside the IPsec tunnel when it passes through pf, I don't see how it can help. pflog doesn't show any such packets being blocked.
One of the IT guys swapped out my phone with one that he had been successfully using from home the previous day, but the same problem occurred. They have concluded that something is wrong with my home networking setup and have gone silent on my support ticket.
I'm wondering if there's something unusual in what pf is doing with the IPsec packets that might be causing the telephony communication to fail. From all appearances, pf appears to be NATing the IPsec UDP packets just fine and keeping state for the replies. pf maintains UDP state for 2 minutes, but the IPsec peers are sending eachother keepalives every 20 seconds so the state never expires. I can't examine the traffic inside the tunnel, so it's very difficult to diagnose.
I've also tried toggling traffic normalisation in pf in case fragment reassembly was screwing something up. No change.
I'm hoping someone else may have some experience with using IPsec through pf+NAT and may have some insights. To clarify, the FreeBSD host itself isn't doing IPsec.
Can anyone help?
J