[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [NETVAERK] iptables, vpn og ipsec - det rigtige subject!!



Frank Vestergaard Pedersen wrote:

Doc Nielsen wrote:


On 4/30/05, Frank Vestergaard Pedersen <sslug@sslug> wrote:
Mit problem er at jeg ikke kan få en winXP ipsec vpn forbindelse igennem
en linux firewall med NAT, men hvis jeg på samme adsl fobindelse sætter
en sonicwall (fysisk hardware firewall) så virker vpn forbindelsen
glimrende!!

De regler jeg er endt op med hvor man burde kunne alt!! (i test
øjeblikket) og som stadig ikke virkede er disse:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -A POSTROUTING -s $INTERNALIP_RANGE -o $EXT_IFACE -j
SNAT --to $EXTERNALIP
iptables -A FORWARD -i $INT_IFACE -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


Hvad med et par VPN linier i firewallen? iptables -t nat -A PREROUTING -p gre -d $WAN_IP -j DNAT --to $VPN_SERVER iptables -t nat -A PREROUTING -p tcp --dport 1723 -i $WAN -j DNAT --to $VPN_SERVER:1723

bash-2.05b# showportnum 1723
pptp 1723/udp pptp


pptp 1723/tcp pptp



Hvad har pptp at gøre med ipsec - med mindre MS' ipsec altid kører over pptp, eller at din specifikke internetopkobling er over pptp, hvilket da er mere-end-meget muligt.
(jeg har desværre ikke opsat XP mod en ipsec. Kun kørt network-network)



jeg kommer vist lige til at lave lidt asci art....

winXP vpn-klient <---> linux firewall <---> internet <---> vpn server
og i dette tilfælde skal jeg vel ikke lave noget DNAT ?

Hvilken ipsec? Med mindre div. ipsec er implementeret helt forskelligt, skal du have have IKE (port 500) ESP og AH (proto 50 og 51) igennem.
Du skal også tillade netbios, hvis du vil kunne browse gennem ipsec.
Well, du tillader jo alligevel det hele...
Om du så skal DNAT'e, hmm, jeg havde ikke noget DNAT for ipsec; havde dog NAT af andre Ting&Sager.


I docs til det tidligere FreeSvan ipsec (hedder noget andet nu) er der eksempler på iptables.

Tcpdump kan vise dig noget om ipsec-relatere pakker mens du kører med din sonicwall...
Ellers capture så'n en session med fx. nicedump et al (freshmeat).


--
Kind regards,
Mogens Valentin



 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:43 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *