[Firewall] Using IPSec (w/o Racoon)

Philip Prindeville philipp_subx at redfish-solutions.com
Tue Jul 15 14:32:29 MDT 2008


I'm hoping to get automagic creation of IPSec tunnels into the next 
release of Astlinux, but this is a showstopper on that capability.

Let me know if you have some time to stare at this issue some.  I can 
run tests.

Thanks,

-Philip


Arno van Amersfoort wrote:
> What kind of IPsec implementation are you using? Freeswan, Racoon or 
> something else. The FAQ is a little outdated, and this explanation only 
> works with Freeswan (which is obsolete AFAIK).
>
> a.
>
> Philip Prindeville wrote:
>   
>> Hi.
>>
>> I read the FAQ.  Saw:
>>
>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>> my script.
>> You need to configure the following variables:
>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>> gateway/network. You should probably also add "ppp+" but note that this 
>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>> be routed into our net
>>
>> I'm trying to get a statically configured tunnel using setkey (hence not 
>> using Racoon for dynamic key exchange via DH).
>>
>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>> ppp0 is my EXT_IF.
>>
>> So, what to do?
>>
>> How do I get things working in this corner case?
>>
>> I ran:
>>
>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>> ah \)
>>
>> but didn't see squat...  neither inbound nor outbound.
>>
>> Has anyone had success with IPSec that could share some pointers?
>>
>> Thanks,
>>
>> -Philip
>>
>>     




More information about the Firewall mailing list