[Firewall] Using IPSec (w/o Racoon)

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Jul 17 13:08:00 MDT 2008


Yup.

# egrep '^(esp|ah)' /etc/protocols
esp     50      ESP             # Encap Security Payload
ah      51      AH              # Authentication Header
# 
# grep 4500 /etc/services
ipsec-nat-t     4500/tcp                        # IPsec NAT-Traversal
ipsec-nat-t     4500/udp                        # IPsec NAT-Traversal
# 




Arno van Amersfoort wrote:
> The plugin takes care of the 500 and 50..... But I assume that Kame also 
> requires 4500 en 51, right? Do you have any reference document for it?
>
> a.
>
> Philip Prindeville wrote:
>   
>> Ok.  So if I enable the plugin, do I still need to add:
>>
>> OPEN_UDP="... 500 4500 ..."
>> OPEN_IP="... 50 51"
>>
>> or does the plug-in take care of this for me?
>>
>> -Philip
>>
>>
>> Arno van Amersfoort wrote:
>>     
>>> I just checked it and in principle the Racoon Plugin should accomplish 
>>> what you want...
>>>
>>> a.
>>>
>>> Philip Prindeville wrote:
>>>   
>>>       
>>>> It's Linux, obviously... Astlinux 0.5, so:
>>>>
>>>> Linux 2.6.20
>>>> IPSec-tools-0.7 (KAME ported to Linux)
>>>> Iptables 1.3.8
>>>>
>>>> and your firewall 1.8.8n (well, mostly 'o', really... just short 2 patches).
>>>>
>>>> It's an ESP tunnel with manually configured static keys.
>>>>
>>>> -Philip
>>>>
>>>>
>>>> Arno van Amersfoort wrote:
>>>>     
>>>>         
>>>>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>>>>> something else. The FAQ is a little outdated, and this explanation only 
>>>>> works with Freeswan (which is obsolete AFAIK).
>>>>>
>>>>> a.
>>>>>
>>>>> Philip Prindeville wrote:
>>>>>   
>>>>>       
>>>>>           
>>>>>> Hi.
>>>>>>
>>>>>> I read the FAQ.  Saw:
>>>>>>
>>>>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>>>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>>>>> my script.
>>>>>> You need to configure the following variables:
>>>>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>>>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>>>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>>>>> gateway/network. You should probably also add "ppp+" but note that this 
>>>>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>>>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>>>>> be routed into our net
>>>>>>
>>>>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>>>>> using Racoon for dynamic key exchange via DH).
>>>>>>
>>>>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>>>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>>>>> ppp0 is my EXT_IF.
>>>>>>
>>>>>> So, what to do?
>>>>>>
>>>>>> How do I get things working in this corner case?
>>>>>>
>>>>>> I ran:
>>>>>>
>>>>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>>>>> ah \)
>>>>>>
>>>>>> but didn't see squat...  neither inbound nor outbound.
>>>>>>
>>>>>> Has anyone had success with IPSec that could share some pointers?
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> -Philip
>>>>>>
>>>>>>
>>>>>>         
>>>>>>             
>>




More information about the Firewall mailing list