[Firewall] Using IPSec (w/o Racoon)
Arno van Amersfoort
arnova at rocky.eld.leidenuniv.nl
Wed Jul 16 09:14:11 MDT 2008
I just checked it and in principle the Racoon Plugin should accomplish
what you want...
Philip Prindeville wrote:
> It's Linux, obviously... Astlinux 0.5, so:
> Linux 2.6.20
> IPSec-tools-0.7 (KAME ported to Linux)
> Iptables 1.3.8
> and your firewall 1.8.8n (well, mostly 'o', really... just short 2 patches).
> It's an ESP tunnel with manually configured static keys.
> Arno van Amersfoort wrote:
>> What kind of IPsec implementation are you using? Freeswan, Racoon or
>> something else. The FAQ is a little outdated, and this explanation only
>> works with Freeswan (which is obsolete AFAIK).
>> Philip Prindeville wrote:
>>> I read the FAQ. Saw:
>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with
>>> my script.
>>> You need to configure the following variables:
>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your
>>> gateway/network. You should probably also add "ppp+" but note that this
>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>> - RP_FILTER=0 # If we don't do this the private external addresses won't
>>> be routed into our net
>>> I'm trying to get a statically configured tunnel using setkey (hence not
>>> using Racoon for dynamic key exchange via DH).
>>> I don't have any interfaces called "ipsec*", and in one case I'm doing
>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my
>>> ppp0 is my EXT_IF.
>>> So, what to do?
>>> How do I get things working in this corner case?
>>> I ran:
>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or
>>> ah \)
>>> but didn't see squat... neither inbound nor outbound.
>>> Has anyone had success with IPSec that could share some pointers?
>>> Firewall mailing list
>>> Firewall at lists.btito.net
>>> Arno's (Linux IPTABLES Firewall) Homepage:
> Firewall mailing list
> Firewall at lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
Arno van Amersfoort
E-mail : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
Arno's (Linux IPTABLES Firewall) Homepage:
More information about the Firewall