[Firewall] Using IPSec (w/o Racoon)

Jeff Welling jeff.welling at gmail.com
Wed Jul 16 12:56:06 MDT 2008


I had trouble getting IPSec to work through NATs, I kept getting an 
error along the lines of 'packet too small, retramsitting'.  When there 
was no NAT involved it worked like a charm though.  I was not able to 
pin down the cause of that error message.

Cheers,
Jeff.

Philip Prindeville wrote:
> I'm hoping to get automagic creation of IPSec tunnels into the next 
> release of Astlinux, but this is a showstopper on that capability.
>
> Let me know if you have some time to stare at this issue some.  I can 
> run tests.
>
> Thanks,
>
> -Philip
>
>
> Arno van Amersfoort wrote:
>   
>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>> something else. The FAQ is a little outdated, and this explanation only 
>> works with Freeswan (which is obsolete AFAIK).
>>
>> a.
>>
>> Philip Prindeville wrote:
>>   
>>     
>>> Hi.
>>>
>>> I read the FAQ.  Saw:
>>>
>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>> my script.
>>> You need to configure the following variables:
>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>> gateway/network. You should probably also add "ppp+" but note that this 
>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>> be routed into our net
>>>
>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>> using Racoon for dynamic key exchange via DH).
>>>
>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>> ppp0 is my EXT_IF.
>>>
>>> So, what to do?
>>>
>>> How do I get things working in this corner case?
>>>
>>> I ran:
>>>
>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>> ah \)
>>>
>>> but didn't see squat...  neither inbound nor outbound.
>>>
>>> Has anyone had success with IPSec that could share some pointers?
>>>
>>> Thanks,
>>>
>>> -Philip
>>>
>>>     
>>>       
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
>   




More information about the Firewall mailing list