Can't configure IPSEC based VPN passthrough on "router" PC....

commodore · July 19, 2008, 3:14pm

Hi Installed Comodo on a PC that servers as the Internet sharing PC (it acts as a router).
On of my network clients is a laptop that connects over a IPSEC based VPN to work. If I shutdown Comodo it works.
If not I observed log entries in Comodo that denied some of the traffic. E.g. UDP port 4500-1111.
I installed all possible rules (e.g. UDP send/receive 4500, 500, and even 4500 to 1111). None of this rules trigger. It seems that Comodo, no matter what decides that the packets are malformed.

Why is there no way to really overwrite the Firewall for a specific port?

grue155 · July 19, 2008, 3:30pm

IPSec isn’t TCP or UDP. It’s a whole different creature. The setup uses connections in TCP and UDP so that client and server can get in sync with each other. Then both client and server shift over to an entirely different protocol.

In order for IPSec to work, you’ll have to have a rule something like this

Allow Protocol IP In&Out from any to any where Protocol is 50 (IPSec protocol ESP)
Allow Protocol IP In&Out from any to any where Protocol is 51 (IPSec protocol AH)

Just for comparison, TCP is IP Protocol 6, and UDP is IP Protocol 17. Very different creatures.

To get the VPN itself working, you may need some other stuff, but that isn’t necessarily IPSec related.

commodore · July 20, 2008, 6:33pm

Hi,

I added two rules for your suggestion. Unfortunately, the rules didn’t trigger. Please find below the logs I’m seeing:

Date/Time :2008-07-20 13:21:51
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming 
Source: 208.195.70.50 
Destination: 71.239.231.144 
Protocol : UDP 
Reason: Fragmented IP packets are not allowed

Date/Time :2008-07-20 13:21:51
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Incoming 
Source: 208.195.70.50:4500 
Destination: 71.239.231.144:1076 
Reason: UDP packet length and the size on the wire(1564 bytes) do not match

Date/Time :2008-07-20 13:21:21
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming 
Source: 208.195.70.50 
Destination: 71.239.231.144 
Protocol : UDP 
Reason: Fragmented IP packets are not allowed

Date/Time :2008-07-20 13:21:21
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Incoming 
Source: 208.195.70.50:4500 
Destination: 71.239.231.144:1076 
Reason: UDP packet length and the size on the wire(1564 bytes) do not match

grue155 · July 20, 2008, 11:31pm

Since that is a CFP v2.4 log format, I’ll assume you’re running CFP v2.4. If you have a blue shield tray icon, then you are running v2.4. If it is a white tray icon, then you’re running v3.

In CFP v2.4, click Security → Advanced, Advanced Attack Detection, Configure → the Miscellaneous tab. Clear the checkbox for “block fragmented IP datagrams” and the checkbox for “do protocol analysis”

commodore · July 21, 2008, 12:44pm

Hi,

Yes, I got confused with the database version vs. product version. I ahve 2.4. Just checked, 3.0 appears not to be working on Windows Server anymore?

I got my VPN to work as well. However, pretty much only if I open all IP traffic. Is there a best practice overview on how to configure the firewall? I’m afraid that in its state it is way to open.

grue155 · July 21, 2008, 6:42pm

I’ve moved your topic into the Help for v2 forum, to help keep things a little more on track.

VPN configuration can be, as you’ve probably found, confusing all by itself. Then tossing in a firewall can make things more confusing. From my own experience, I’ve found that having a network monitor, like Wireshark (http://www.wireshark.org/), can make getting things set up much much easier. When you can see the packets moving around, you don’t have to guess about firewall rules or other configuration settings.

CFP can be used to secure a VPN, just like the VPN is another LAN (which it is, just a different kind of wire). But the order in which CFP handles things makes a difference.

I’m going to ask that you post a screenshot of your network rules. Open CFP, and maximize the window, then alt-prntscrn to copy the window image to the Windows clipboard. Open Paint (on WinXP, that’s Start → Accessories → Paint, may be the same on Windows Server), and cntl-V to paste the image, save as a JPG or GIF file, and post that file here.

Is this VPN going out from your machine to some other server, or is your machine the one that remote client machines are connecting to? The direction can make a difference in what kind of rules to have in place.

commodore · July 21, 2008, 11:35pm

Hi,

Thanks for helping. The VPN connection originates from an other PC. THis PC is used for Internet sharing. Here is the screenshot. You can see I have some leftovers from trying some ports like 50 and 53…

[attachment deleted by admin]

grue155 · July 22, 2008, 1:01am

Looks like we’re going to need to restructure your rules a bit. The default CFP rules, which you had as a basis, were set up assuming a single machine connecting thru a modem. Your setup is a bit more complicated.

First, let me make sure that I’m understanding your network, and that it is something like this:

RemotePC ------- Internet --------cablemodem ---------- This PC -------- other PC’s on LAN

where RemotePC is connecting thru a VPN to ThisPC
and
where ThisPC is being used as an Internet Connection Host (a gateway) for other PC’s on your LAN to gain access to the Internet
and
where your connection to the Internet is thru a cable modem

All of that is taken from your postings so far, and what I read from your network rules snapshot.

If that is mostly right, then I’m going to suggest that we take things in stages, make sure the CFP rules are working, and build on those working rules to the next stage.

The first stage then, is to have ThisPC secure your LAN, so your local PCs can see ThisPC and each other and have everything work.

The basic structure of the rules for your LAN is like this (and this replaces all your existing CFP rules)

Allow IP In&Out from zone[MyLAN] to zone[MyLAN]
Allow IP In&Out from zone[MyLAN] to zone[Multicast]
Allow IP Out from zone[MyLAN] to any
Allow ICMP In from any to any where ICMP detail message is “Net Unreachable”
Allow ICMP In from any to any where ICMP detail message is “Port Unreachable”
Allow ICMP In from any to any where ICMP detail message is “Host Unreachable”
Allow ICMP In from any to any where ICMP detail message is “Time Exceeded”
Allow ICMP In from any to any where ICMP detail message is “Fragmentation Needed”
Allow ICMP In from any to any where ICMP detail message is “Protocol Unreachable”
Block&Log IP In from any to any

where zone[MyLAN] is the address range for your LAN. Windows seems to use 192.168.0.0 thru 192.168.0.255 for the Internet Connection Host provided LAN addresses.

Zone[Multicast] covers a special LAN-only broadcast address range from 224.0.0.0 thru 239.255.255.255. It gets used by a lot of networking stuff, including VPNs. Windows networking will also use it, mostly for UPnP devices which you might have in printers and wireless nodes and such.

Note that these 11 rules I’ve outlined above do not provide any VPN support. That’s the next step, after these LAN rules get in place, and known to be working.

Regarding your VPN, you’ve described IPSec. Is this VPN a product (for example, a Cisco VPN server/client package) or the native Windows L2TP/IPSec? Setup can differ among products, and the CFP rules may need to reflect the details.

commodore · July 22, 2008, 1:11am

Hi,

I think I need to clarify the setup.

CorporateVPN ------- Internet --------cablemodem ---------- This PC -------- PC’s on LAN + my work latpop

where CorporateVPN is the destination to be reached from my laptop
and
where ThisPC is being used as an Internet Connection Host (a gateway) for other PC’s on your LAN to gain access to the Internet
and
where your connection to the Internet is thru a cable modem

where my work laptop tries to connect through a VPN to work

grue155 · July 22, 2008, 1:24am

Thank you. That considerably simplifies things. To the point that the proposed ruleset that I gave is very close to working. An in fact may work without any more changes.

So ThisPC is just simply the gateway for packets from your work-laptop to the CorporateVPN. There might be a need to open up just a narrow address range to that server, but I’d want to see what the CFP log has before doing that. Outbound traffic from your laptop is allowed by proposed rule 3. If the CorpVPN server tries to send something back, it might have a problem, and that would get logged.