[Firewall] IPSEC VPN help, please.

Gustin Johnson gustin at meganerd.ca
Thu Mar 22 18:56:28 CET 2012


Is the VPN server behind a NAT router as well?  I was never able to get
that working.  Now we have our VPN server in the DMZ with a publicly
routable IP.  As a fall-back we use OpenVPN (nothing beats a single
connection over a single TCP port for reliability).

IIRC there needs to be some kernel modules loaded in order for the IPSEC
pass-through to work.    It has been a long time since I have looked at
this.

I have connected to our ipsec VPN from home through two NATs, one provided
by Virtualbox, then my LAN NAT (generic Linux box with Arno) and I have not
enabled the VPN client
On Wed, Mar 21, 2012 at 9:42 PM, blip42 <blip42 at zoho.com> wrote:

> **
>
> Hello is there anyone here,
>
> Does anyone have any experience with IPSEC VPN via Arno's Firewall?
>
> I have been trying, unsuccessfully, with version 2.0.1a (now 2.0.1.b) to
> get a my work laptop
> to connect to our VPN via Cisco client.
>
> I have the following configuration:
>
> Server:
> OS: Slackware64-current with kernel 3.2.7
> Running Arno's Firewall 2.0.1b
> eth0: External Interface. Gets IP via DHCP
> eth1: Internal Interface for internal LAN set at 10.0.2.1
>
> Work Laptop - LAN IP 10.0.2.24
> Browses web fine when not connected to VPN
> When trying to connect to VPN it makes it out the the server
> at work, but fails to negotiate and establish the VPN.
>
> I have enable the IPSEC-VPN plugin, I've opened and forwarded ports.
> I am clearly missing something simple because when I search Google
> most people with this issue are missing opening a port or allowing the
> protocol.
> As far as I can tell I have done that, but perhaps I missed something.
>
> I am providing the setting from the .conf files that I have touched:
>
> If anyone can shed any light on the it would be greatly appreciated.
> Or if something doesn't look correctly set, like
> Do I have the open statements in the wrong section?
>
> Thanks in advance for any replies.
> I really don't want to have to write my own
> and this is the last one I found that I actually like and worked for my
> needs..mostly.
>
> Sincerely,
> Mike
>
> (Commented lines and lines where the value was set as variable="" have
> been removed to save space)
>
> ipsec-vpn.conf
>
> ENABLED=1
> IPSEC_ALLOWED_HOSTS="0/0"
> IPSEC_NAT_TRAVERSAL=1
>
>
> firewall.conf
>
> EXT_IF="eth0"
> EXT_IF_DHCP_IP="1"
> EXTERNAL_DHCP_SERVER=0
> EXTERNAL_DHCPV6_SERVER=0
> INT_IF="eth1"
> INTERNAL_NET="10.0.2.1/24"
> INTERNAL_NET_ANTISPOOF=1
> INT_NET_BCAST_ADDRESS="10.0.2.255"
> DMZ_NET_ANTISPOOF=1
> NAT="1"
> NAT_INTERNAL_NET="$INTERNAL_NET"
> NAT_LOCAL_REDIRECT=0
> NAT_FORWARD_TCP="500,4500,10000,62515>10.0.2.24"
> NAT_FORWARD_UDP="500,4500,10000,62515>10.0.2.24"
> NAT_FORWARD_IP="47,50>10.0.2.24"
> IP4TABLES="/usr/sbin/iptables"
> IP6TABLES="/usr/sbin/ip6tables"
> ENV_FILE="/usr/local/share/arno-iptables-firewall/environment"
> PLUGIN_BIN_PATH="/usr/local/share/arno-iptables-firewall/plugins"
> PLUGIN_CONF_PATH="/etc/arno-iptables-firewall/plugins"
> DMESG_PANIC_ONLY=1
> MANGLE_TOS=0
> SET_MSS=1
> TTL_INC=0
> USE_IRC=0
> LOOSE_FORWARD=0
> FORWARD_LINK_LOCAL=0
> IPV6_DROP_RH_ZERO=1
> RESERVED_NET_DROP=0
> DRDOS_PROTECT=0
> IPV6_SUPPORT="0"
> NMB_BROADCAST_FIX=0
> COMPILED_IN_KERNEL_MESSAGES=1
> DEFAULT_POLICY_DROP=1
> CUSTOM_RULES="/etc/arno-iptables-firewall/custom-rules"
> LOCAL_CONFIG_DIR="/etc/arno-iptables-firewall/conf.d"
> DISABLE_IPTABLES_BATCH=0
> TRACE=0
> BLOCKED_HOST_LOG=1
> SCAN_LOG=1
> POSSIBLE_SCAN_LOG=1
> BAD_FLAGS_LOG=1
> INVALID_TCP_LOG=0
> INVALID_UDP_LOG=0
> INVALID_ICMP_LOG=0
> RESERVED_NET_LOG=0
> FRAG_LOG=1
> INET_OUTPUT_DENY_LOG=1
> LAN_OUTPUT_DENY_LOG=1
> LAN_INPUT_DENY_LOG=1
> DMZ_OUTPUT_DENY_LOG=1
> DMZ_INPUT_DENY_LOG=1
> FORWARD_DROP_LOG=1
> LINK_LOCAL_DROP_LOG=1
> ICMP_REQUEST_LOG=1
> ICMP_OTHER_LOG=1
> PRIV_TCP_LOG=1
> PRIV_UDP_LOG=1
> UNPRIV_TCP_LOG=1
> UNPRIV_UDP_LOG=1
> IGMP_LOG=1
> OTHER_IP_LOG=1
> ICMP_FLOOD_LOG=1
> LOGLEVEL="info"
> SYN_PROT=1
> REDUCE_DOS_ABILITY=1
> ECHO_IGNORE=0
> LOG_MARTIANS=0
> IP_FORWARDING=1
> IPV6_AUTO_CONFIGURATION=1
> ICMP_REDIRECT=0
> CONNTRACK=16384
> ECN=0
> RP_FILTER=0
> SOURCE_ROUTE_PROTECTION=1
> LOCAL_PORT_RANGE="32768 61000"
> DEFAULT_TTL=64
> NO_PMTU_DISCOVERY=0
> LAN_OPEN_ICMP=1
> LAN_INET_OPEN_ICMP=1
> DMZ_OPEN_ICMP=1
> INET_DMZ_OPEN_ICMP=0
> DMZ_INET_OPEN_ICMP=1
> DMZ_LAN_OPEN_ICMP=0
> OPEN_ICMP="1"
> OPEN_ICMPV6=1
> OPEN_TCP="22,80" #,500,4500,10000,62515"
> OPEN_UDP="53" #,500,4500,10000,62515"
> BLOCK_HOSTS_BIDIRECTIONAL=1
>
>
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120322/c7db7198/attachment.html>


More information about the Firewall mailing list