[Firewall] Using IPSec (w/o Racoon)

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Jul 17 00:45:02 MDT 2008


Yep, that's what I recall.. Note that the base setup of the plugin was 
not written by and tested by me (as I don't use ipsec myself)....

a.

Philip Prindeville wrote:
> I'll give it a try this evening.
> 
> So, the local and remote [sic] subnets are both the local subnet that 
> you want to export as well as the remote subnets you want to import?
> 
> And the inet-hosts are the subnet or host/32 addresses of the public 
> side of the peers?
> 
> -Philip
> 
> 
> Arno van Amersfoort wrote:
>> I just checked it and in principle the Racoon Plugin should accomplish 
>> what you want...
>>
>> a.
>>
>> Philip Prindeville wrote:
>>   
>>> It's Linux, obviously... Astlinux 0.5, so:
>>>
>>> Linux 2.6.20
>>> IPSec-tools-0.7 (KAME ported to Linux)
>>> Iptables 1.3.8
>>>
>>> and your firewall 1.8.8n (well, mostly 'o', really... just short 2 patches).
>>>
>>> It's an ESP tunnel with manually configured static keys.
>>>
>>> -Philip
>>>
>>>
>>> Arno van Amersfoort wrote:
>>>     
>>>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>>>> something else. The FAQ is a little outdated, and this explanation only 
>>>> works with Freeswan (which is obsolete AFAIK).
>>>>
>>>> a.
>>>>
>>>> Philip Prindeville wrote:
>>>>   
>>>>       
>>>>> Hi.
>>>>>
>>>>> I read the FAQ.  Saw:
>>>>>
>>>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>>>> my script.
>>>>> You need to configure the following variables:
>>>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>>>> gateway/network. You should probably also add "ppp+" but note that this 
>>>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>>>> be routed into our net
>>>>>
>>>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>>>> using Racoon for dynamic key exchange via DH).
>>>>>
>>>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>>>> ppp0 is my EXT_IF.
>>>>>
>>>>> So, what to do?
>>>>>
>>>>> How do I get things working in this corner case?
>>>>>
>>>>> I ran:
>>>>>
>>>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>>>> ah \)
>>>>>
>>>>> but didn't see squat...  neither inbound nor outbound.
>>>>>
>>>>> Has anyone had success with IPSec that could share some pointers?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Philip
>>>>>         
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list