[Firewall] Using IPSec (w/o Racoon)
philipp_subx at redfish-solutions.com
Sun Jul 13 18:24:21 MDT 2008
I read the FAQ. Saw:
*Q:* Does your firewall work with IPSEC (Freeswan)?
*A:* YES! :-) Here's how you should do it, it's actually quite easy with
You need to configure the following variables:
- OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
- OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
- TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your
gateway/network. You should probably also add "ppp+" but note that this
only works if you don"t use ppp+ for your external interface (EXT_IF)!
- RP_FILTER=0 # If we don't do this the private external addresses won't
be routed into our net
I'm trying to get a statically configured tunnel using setkey (hence not
using Racoon for dynamic key exchange via DH).
I don't have any interfaces called "ipsec*", and in one case I'm doing
Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my
ppp0 is my EXT_IF.
So, what to do?
How do I get things working in this corner case?
tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or
but didn't see squat... neither inbound nor outbound.
Has anyone had success with IPSec that could share some pointers?
More information about the Firewall