[Firewall] Using IPSec (w/o Racoon)

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Mon Jul 14 08:54:53 MDT 2008


What kind of IPsec implementation are you using? Freeswan, Racoon or 
something else. The FAQ is a little outdated, and this explanation only 
works with Freeswan (which is obsolete AFAIK).

a.

Philip Prindeville wrote:
> Hi.
> 
> I read the FAQ.  Saw:
> 
> *Q:* Does your firewall work with IPSEC (Freeswan)?
> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
> my script.
> You need to configure the following variables:
> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
> gateway/network. You should probably also add "ppp+" but note that this 
> only works if you don"t use ppp+ for your external interface (EXT_IF)!
> - RP_FILTER=0 # If we don't do this the private external addresses won't 
> be routed into our net
> 
> I'm trying to get a statically configured tunnel using setkey (hence not 
> using Racoon for dynamic key exchange via DH).
> 
> I don't have any interfaces called "ipsec*", and in one case I'm doing 
> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
> ppp0 is my EXT_IF.
> 
> So, what to do?
> 
> How do I get things working in this corner case?
> 
> I ran:
> 
> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
> ah \)
> 
> but didn't see squat...  neither inbound nor outbound.
> 
> Has anyone had success with IPSec that could share some pointers?
> 
> Thanks,
> 
> -Philip
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list