[Firewall] Using IPSec (w/o Racoon)

Arno van Amersfoort arnova at rocky.eld.leidenuniv.nl
Thu Jul 17 00:45:33 MDT 2008


Odd.... But this more sounds like a kernel problem that something that 
is fixable with iptables...

a.

Jeff Welling wrote:
> I had trouble getting IPSec to work through NATs, I kept getting an 
> error along the lines of 'packet too small, retramsitting'.  When there 
> was no NAT involved it worked like a charm though.  I was not able to 
> pin down the cause of that error message.
> 
> Cheers,
> Jeff.
> 
> Philip Prindeville wrote:
>> I'm hoping to get automagic creation of IPSec tunnels into the next 
>> release of Astlinux, but this is a showstopper on that capability.
>>
>> Let me know if you have some time to stare at this issue some.  I can 
>> run tests.
>>
>> Thanks,
>>
>> -Philip
>>
>>
>> Arno van Amersfoort wrote:
>>   
>>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>>> something else. The FAQ is a little outdated, and this explanation only 
>>> works with Freeswan (which is obsolete AFAIK).
>>>
>>> a.
>>>
>>> Philip Prindeville wrote:
>>>   
>>>     
>>>> Hi.
>>>>
>>>> I read the FAQ.  Saw:
>>>>
>>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>>> my script.
>>>> You need to configure the following variables:
>>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>>> gateway/network. You should probably also add "ppp+" but note that this 
>>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>>> be routed into our net
>>>>
>>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>>> using Racoon for dynamic key exchange via DH).
>>>>
>>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>>> ppp0 is my EXT_IF.
>>>>
>>>> So, what to do?
>>>>
>>>> How do I get things working in this corner case?
>>>>
>>>> I ran:
>>>>
>>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>>> ah \)
>>>>
>>>> but didn't see squat...  neither inbound nor outbound.
>>>>
>>>> Has anyone had success with IPSec that could share some pointers?
>>>>
>>>> Thanks,
>>>>
>>>> -Philip
>>>>
>>>>     
>>>>       
>>
>> _______________________________________________
>> Firewall mailing list
>> Firewall at lists.btito.net
>> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
>> Arno's (Linux IPTABLES Firewall) Homepage:
>> http://rocky.eld.leidenuniv.nl
>>
>>   
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at lists.btito.net
> http://lists.btito.net/mailman/listinfo/firewall_lists.btito.net
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 

-- 
Arno van Amersfoort
E-mail    : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list