Re: VPN using ESP protocol, problems with firewall

From: Whoever (nobody_at_devnull.none)
Date: 08/14/03 

Date: Thu, 14 Aug 2003 06:39:37 GMT

On Thu, 14 Aug 2003, Jon Rook wrote:

> Hi again,
> I've been trying to enable VPN access from my laptop on my home network
> through my RH7.2 Router/Firewall without much success.
> I'm use a Cisco VPN application on the Win2K laptop that has settings
> for transparent tunneling using either UDP (default), or TCP. The
> documentation for this application says that it will not work with a
> stateful firewall, hence I'm using IPCHAINS.

You appear to be using an IPSEC VPN which is neither a UDP VPN nor a TCP
VPN. Unless you have the appropriate configuration for IPSEC MASQ, it
won't work (assuming your router/firewall is a NAT/MASQ firewall). At one
time, this required a kernel patch -- I don't know if it was ever
incorporated into the standard kernel.

You can write a mixture of stateful and non-stateful rules with IPTABLES.
There is no need to use IPCHAINS.

>
> There are two phases to using the VPN. 1) loggin in, and 2) accessing
> services from the remote site like mail etc. I am able to successfully
> log in to the remote site. Using ethereal, I am able to see a two-way
> communication via UDP during this setup phase.
>
> When I open my mail application, everything grinds to a halt. Ethereal
> tells me that my laptop is sending numerous packets that are being
> blocked by my IPCHAINS firewall. I.e, the packets appear on the local
> network side of the firewall, but not on the 'outside' interface.
>
> Ethereal says that the protocol for these packets is "ESP", and the
> protocol number is 0x32. In my firewall, I have tried to allow these
> packets through. I think the following rules should allow traffic from
> the remote VPN machine to pass through my firewall.
>
> $IPC -A input -i $EXTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT
> $IPC -A output -i $INTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT
>

You need to enable Protocol 51 as well.

> There are similar rules for outbound traffic from my laptop to the
> remote server.
>
> $IPC -A input -i $INTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT
> $IPC -A output -i $EXTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT

You need to enable Protocol 51 as well.
>

Relevant Pages

  • Re: VPN WinXP Firewall
    ... Networking, Internet, Routing, VPN, Anti-Virus, Tips & Troubleshooting on ... It connects OK but the name mappings (net use x: ... > The remote clients go thru a Linksys BEFSX41 at the remote site. ... The problem seems to have begun when the Win XP firewall update ...
    (microsoft.public.windows.server.networking)
  • RE: Sandboxing
    ... the 3Com Embedded Firewall would be extremely useful and enabling (in ... your case) when you look at it in a VPN context. ... This security policy will accomplish quite a few things: ... During the Policy Server installation, ...
    (Focus-IDS)
  • Re: Domain resources in router to router VPN
    ... The remote site has no domain controller. ... matter where he is with the laptop. ... server (over the vpn). ... >> that is prohibiting me to access file shares via the ...
    (microsoft.public.win2000.ras_routing)
  • Re: Strange Problem with VPN
    ... This seems to be usually firewall related. ... There's often a setting to allow VPN, GRE, ... the Shortcut to SBS Server VPN connection from any location except the ... applied to both the laptop and the server. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN using ESP protocol, problems with firewall
    ... >>I've been trying to enable VPN access from my laptop on my home network ... >>stateful firewall, hence I'm using IPCHAINS. ... > You need to enable Protocol 51 as well. ...
    (comp.os.linux.networking)
Loading