[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [NETVAERK] iptables, vpn og ipsec - det rigtige subject!!



On Sat, 2005-04-30 at 16:05, Mogens Valentin wrote:
> Frank Vestergaard Pedersen wrote:
> > 
> > Doc Nielsen wrote:
> > 
> >> On 4/30/05, Frank Vestergaard Pedersen <sslug@sslug> wrote:
> >>  
> >>> Mit problem er at jeg ikke kan få en winXP ipsec vpn forbindelse igennem
> >>> en linux firewall med NAT, men hvis jeg på samme adsl fobindelse sætter
> >>> en sonicwall (fysisk hardware firewall) så virker vpn forbindelsen
> >>> glimrende!!
> >>>
> >>> De regler jeg er endt op med hvor man burde kunne alt!! (i test
> >>> øjeblikket) og som stadig ikke virkede er disse:
> >>>
> >>> iptables -P INPUT ACCEPT
> >>> iptables -P OUTPUT ACCEPT
> >>> iptables -P FORWARD ACCEPT
> >>>
> >>> iptables -t nat -A POSTROUTING -s $INTERNALIP_RANGE -o $EXT_IFACE -j
> >>> SNAT --to $EXTERNALIP
> >>> iptables -A FORWARD -i $INT_IFACE -j ACCEPT
> >>> iptables -A FORWARD -i $EXT_IFACE -j ACCEPT
> >>> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> >>> iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
> >>> --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
> >>>
> >>
> >> Hvad med et par VPN linier i firewallen?
> >> iptables -t nat -A PREROUTING -p gre -d $WAN_IP -j DNAT --to $VPN_SERVER
> >> iptables -t nat -A PREROUTING -p tcp --dport 1723 -i $WAN -j DNAT --to
> >> $VPN_SERVER:1723
> 
> bash-2.05b# showportnum 1723
> pptp             1723/udp   pptp 
> 
> pptp             1723/tcp   pptp 
> 
> 
> 
> Hvad har pptp at gøre med ipsec - med mindre MS' ipsec altid kører over 
> pptp, eller at din specifikke internetopkobling er over pptp, hvilket da 
> er mere-end-meget muligt.
> (jeg har desværre ikke opsat XP mod en ipsec. Kun kørt network-network)

XP kan køre PPTP og L2TP (som de kalder 'L2TP ipsec VPN)

> 
> 
> > jeg kommer vist lige til at lave lidt asci art....
> > 
> > winXP vpn-klient <---> linux firewall <---> internet <---> vpn server
> >                                                              og i dette 
> > tilfælde skal jeg vel ikke lave noget DNAT ?
> 
> Hvilken ipsec? Med mindre div. ipsec er implementeret helt forskelligt, 
> skal du have have IKE (port 500) ESP og AH (proto 50 og 51) igennem.
> Du skal også tillade netbios, hvis du vil kunne browse gennem ipsec.
> Well, du tillader jo alligevel det hele...
> Om du så skal DNAT'e, hmm, jeg havde ikke noget DNAT for ipsec; havde 
> dog NAT af andre Ting&Sager.
> 
> I docs til det tidligere FreeSvan ipsec (hedder noget andet nu) er der 
> eksempler på iptables.
> 
> Tcpdump kan vise dig noget om ipsec-relatere pakker mens du kører med 
> din sonicwall...
> Ellers capture så'n en session med fx. nicedump et al (freshmeat).
-- 
/Kenn



 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:43 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *