[Firewall] Using IPSec (w/o Racoon)

Philip Prindeville philipp_subx at redfish-solutions.com
Wed Jul 16 15:53:49 MDT 2008


Ok.  So if I enable the plugin, do I still need to add:

OPEN_UDP="... 500 4500 ..."
OPEN_IP="... 50 51"

or does the plug-in take care of this for me?

-Philip


Arno van Amersfoort wrote:
> I just checked it and in principle the Racoon Plugin should accomplish 
> what you want...
>
> a.
>
> Philip Prindeville wrote:
>   
>> It's Linux, obviously... Astlinux 0.5, so:
>>
>> Linux 2.6.20
>> IPSec-tools-0.7 (KAME ported to Linux)
>> Iptables 1.3.8
>>
>> and your firewall 1.8.8n (well, mostly 'o', really... just short 2 patches).
>>
>> It's an ESP tunnel with manually configured static keys.
>>
>> -Philip
>>
>>
>> Arno van Amersfoort wrote:
>>     
>>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>>> something else. The FAQ is a little outdated, and this explanation only 
>>> works with Freeswan (which is obsolete AFAIK).
>>>
>>> a.
>>>
>>> Philip Prindeville wrote:
>>>   
>>>       
>>>> Hi.
>>>>
>>>> I read the FAQ.  Saw:
>>>>
>>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>>> my script.
>>>> You need to configure the following variables:
>>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>>> gateway/network. You should probably also add "ppp+" but note that this 
>>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>>> be routed into our net
>>>>
>>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>>> using Racoon for dynamic key exchange via DH).
>>>>
>>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>>> ppp0 is my EXT_IF.
>>>>
>>>> So, what to do?
>>>>
>>>> How do I get things working in this corner case?
>>>>
>>>> I ran:
>>>>
>>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>>> ah \)
>>>>
>>>> but didn't see squat...  neither inbound nor outbound.
>>>>
>>>> Has anyone had success with IPSec that could share some pointers?
>>>>
>>>> Thanks,
>>>>
>>>> -Philip
>>>>
>>>>
>>>>         




More information about the Firewall mailing list