Re: VPN / ipchains / masquerade linux 2.4.22

From: Torsten Stauder (audio07_at_t-online.de)
Date: 10/20/03


Date: Mon, 20 Oct 2003 02:24:38 +0200

HI!

Recently I've read something about that. The problem ist NAT. NAT
manipulates the IP-packets and that's not "allowed". There's just one way:
You have to encapsulate (masq) ESP-packets into UDP-packets. That reason for
you have to have ipsec-traverse support compiled into you kernel. But that's
only possible for ESP-protocol whereas in case of AH it's not.
Initially I thought it's just a few config-lines to add but...well... it's
not that easy.
But I didn't test it yet... it's just that I've read about...

"Thijs Metsch" <thijs@lxnet.org> schrieb im Newsbeitrag
news:1e16cec5.0310190244.49c0b83f@posting.google.com...
> hey all together,
>
> i know this is a kind of annoying but again i have a question about
> VPN Masquerading with ipchains.
>
> Okay lets start with my network setup:
>
> Win/VPN Client
> Win/other CLient ---> Linux / iptables masq --> internet --> VPN
> Server
> ...
>
> The internal IP addresse are all some kind of 192.168.203.*
>
> The Linux box is up with a 2.4.22 kernel. following ipchains are now
> inserted:
>
> ipchains -L
> Chain input (policy ACCEPT):
> Chain forward (policy DENY):
> target prot opt source destination
> ports
> MASQ all ------ 192.168.203.0/24 anywhere n/a
> Chain output (policy ACCEPT):
>
> So every-thing internal is routed to external.
>
> Now this is what I want:
> The VPN won't conntact to the VPN Server of my work. It'S a nortel
> Client with IpSec and says something about: can't get Banner.
>
> Now I already know that I have to open the Port 500. Now ipchains -L
> says:
>
> Chain input (policy ACCEPT):
> target prot opt source destination
> ports
> ACCEPT udp ------ anywhere anywhere any
> -> isakmp
> Chain forward (policy DENY):
> target prot opt source destination
> ports
> MASQ all ------ 192.168.203.0/24 anywhere n/a
> Chain output (policy ACCEPT):
>
> So port 500 is quite open. Now the VPN CLient still says the same.
>
> What should i do? do i have to open another set of ports? I can't
> really get the clue of the dosuments located at:
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
>
> Can anybody help and tell what to do next?
>
> thanks in advanced
>
> -Thijs Metsch