[Firewall] Using IPSec (w/o Racoon)

Philip Prindeville philipp_subx at redfish-solutions.com
Sun Jul 13 18:24:21 MDT 2008


Hi.

I read the FAQ.  Saw:

*Q:* Does your firewall work with IPSEC (Freeswan)?
*A:* YES! :-) Here's how you should do it, it's actually quite easy with 
my script.
You need to configure the following variables:
- OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
- OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
- TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
gateway/network. You should probably also add "ppp+" but note that this 
only works if you don"t use ppp+ for your external interface (EXT_IF)!
- RP_FILTER=0 # If we don't do this the private external addresses won't 
be routed into our net

I'm trying to get a statically configured tunnel using setkey (hence not 
using Racoon for dynamic key exchange via DH).

I don't have any interfaces called "ipsec*", and in one case I'm doing 
Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
ppp0 is my EXT_IF.

So, what to do?

How do I get things working in this corner case?

I ran:

tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
ah \)

but didn't see squat...  neither inbound nor outbound.

Has anyone had success with IPSec that could share some pointers?

Thanks,

-Philip




More information about the Firewall mailing list