[Firewall] IPSEC VPN help, please.

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Mar 22 15:52:02 CET 2012


Hi Mike,

Are you convinced the problem is the firewall ?  And not the IPsec configs. client/server mismatch, etc. .

What IPsec implementation are you using on the Server, another Cisco flavor to match your laptop?.

Why not use OpenVPN ? :-)

Lonnie



On Mar 21, 2012, at 10:42 PM, blip42 wrote:

> 
> Hello is there anyone here,
> 
> Does anyone have any experience with IPSEC VPN via Arno's Firewall?
> 
> I have been trying, unsuccessfully, with version 2.0.1a (now 2.0.1.b) to get a my work laptop 
> to connect to our VPN via Cisco client.
> 
> I have the following configuration:
> 
> Server:
> OS: Slackware64-current with kernel 3.2.7
> Running Arno's Firewall 2.0.1b
> eth0: External Interface. Gets IP via DHCP
> eth1: Internal Interface for internal LAN set at 10.0.2.1
> 
> Work Laptop - LAN IP 10.0.2.24
> Browses web fine when not connected to VPN
> When trying to connect to VPN it makes it out the the server 
> at work, but fails to negotiate and establish the VPN.
> 
> I have enable the IPSEC-VPN plugin, I've opened and forwarded ports.
> I am clearly missing something simple because when I search Google
> most people with this issue are missing opening a port or allowing the protocol.
> As far as I can tell I have done that, but perhaps I missed something.
> 
> I am providing the setting from the .conf files that I have touched:
> 
> If anyone can shed any light on the it would be greatly appreciated.
> Or if something doesn't look correctly set, like
> Do I have the open statements in the wrong section?
> 
> Thanks in advance for any replies.
> I really don't want to have to write my own
> and this is the last one I found that I actually like and worked for my needs..mostly.
> 
> Sincerely,
> Mike
> 
> (Commented lines and lines where the value was set as variable="" have been removed to save space)
> 
> ipsec-vpn.conf
> 
> ENABLED=1
> IPSEC_ALLOWED_HOSTS="0/0"
> IPSEC_NAT_TRAVERSAL=1
> 
> 
> firewall.conf   
> 
> EXT_IF="eth0"
> EXT_IF_DHCP_IP="1"
> EXTERNAL_DHCP_SERVER=0
> EXTERNAL_DHCPV6_SERVER=0
> INT_IF="eth1"
> INTERNAL_NET="10.0.2.1/24"
> INTERNAL_NET_ANTISPOOF=1
> INT_NET_BCAST_ADDRESS="10.0.2.255"
> DMZ_NET_ANTISPOOF=1
> NAT="1"
> NAT_INTERNAL_NET="$INTERNAL_NET"
> NAT_LOCAL_REDIRECT=0
> NAT_FORWARD_TCP="500,4500,10000,62515>10.0.2.24"
> NAT_FORWARD_UDP="500,4500,10000,62515>10.0.2.24"
> NAT_FORWARD_IP="47,50>10.0.2.24"
> IP4TABLES="/usr/sbin/iptables"
> IP6TABLES="/usr/sbin/ip6tables"
> ENV_FILE="/usr/local/share/arno-iptables-firewall/environment"
> PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins"
> PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
> DMESG_PANIC_ONLY=1
> MANGLE_TOS=0
> SET_MSS=1
> TTL_INC=0
> USE_IRC=0
> LOOSE_FORWARD=0
> FORWARD_LINK_LOCAL=0
> IPV6_DROP_RH_ZERO=1
> RESERVED_NET_DROP=0
> DRDOS_PROTECT=0
> IPV6_SUPPORT="0"
> NMB_BROADCAST_FIX=0
> COMPILED_IN_KERNEL_MESSAGES=1
> DEFAULT_POLICY_DROP=1
> CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
> LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
> DISABLE_IPTABLES_BATCH=0
> TRACE=0
> BLOCKED_HOST_LOG=1
> SCAN_LOG=1
> POSSIBLE_SCAN_LOG=1
> BAD_FLAGS_LOG=1
> INVALID_TCP_LOG=0
> INVALID_UDP_LOG=0
> INVALID_ICMP_LOG=0
> RESERVED_NET_LOG=0
> FRAG_LOG=1
> INET_OUTPUT_DENY_LOG=1
> LAN_OUTPUT_DENY_LOG=1
> LAN_INPUT_DENY_LOG=1
> DMZ_OUTPUT_DENY_LOG=1
> DMZ_INPUT_DENY_LOG=1
> FORWARD_DROP_LOG=1
> LINK_LOCAL_DROP_LOG=1
> ICMP_REQUEST_LOG=1
> ICMP_OTHER_LOG=1
> PRIV_TCP_LOG=1
> PRIV_UDP_LOG=1
> UNPRIV_TCP_LOG=1
> UNPRIV_UDP_LOG=1
> IGMP_LOG=1
> OTHER_IP_LOG=1
> ICMP_FLOOD_LOG=1
> LOGLEVEL="info"
> SYN_PROT=1
> REDUCE_DOS_ABILITY=1
> ECHO_IGNORE=0
> LOG_MARTIANS=0
> IP_FORWARDING=1
> IPV6_AUTO_CONFIGURATION=1
> ICMP_REDIRECT=0
> CONNTRACK=16384
> ECN=0
> RP_FILTER=0
> SOURCE_ROUTE_PROTECTION=1
> LOCAL_PORT_RANGE="32768 61000"
> DEFAULT_TTL=64
> NO_PMTU_DISCOVERY=0
> LAN_OPEN_ICMP=1
> LAN_INET_OPEN_ICMP=1
> DMZ_OPEN_ICMP=1
> INET_DMZ_OPEN_ICMP=0
> DMZ_INET_OPEN_ICMP=1
> DMZ_LAN_OPEN_ICMP=0
> OPEN_ICMP="1"
> OPEN_ICMPV6=1
> OPEN_TCP="22,80" #,500,4500,10000,62515"
> OPEN_UDP="53" #,500,4500,10000,62515"
> BLOCK_HOSTS_BIDIRECTIONAL=1
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl



More information about the Firewall mailing list