ipfw rules for ikev2/ipsec
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 23 Apr 2023 17:47:49 UTC
Trying to get a black-box cell booster set up; new to vpn Internal net is using NAT Using tcpdump I see the following on my internal net: IP internal_dhcp_ip.500 > 69.78.33.148.500: isakmp: parent_sa ikev2_init[I] That looks like it's trying to set up a vpn connection to verizon using ikev2/ipsec. I already had the following rule: 08411 allow udp from any to any out keep-state :default However, I saw nothing going out. So added this: 07120 allow udp from my_internal_net to any 500 keep-state :default And now I see these going to the outside: IP a.b.c.d.500 > 69.78.33.148.500: isakmp: parent_sa ikev2_init[I] However, I see nothing coming back. Tried adding similar rules for ports 4500, 1500, 1701 but that made no difference. Tried adding esp and ah protocols as in: 07150 allow esp from my_internal_net to any 50 keep-state :default Not sure how to deal with esp and ah protocols, and ipsec on 1701. Questions: 1. Why did I need the explicit rule at 7120? Why doesn't 8411 suffice? 2. What am I missing? Thanks, Gary