Connection to SonicWall VPN through Linux IPTABLES Firewall/Proxy

ajkessel_at_gmail.com
Date: 10/31/05 

Date: 31 Oct 2005 06:04:37 -0800

I've set up a very simple iptables firewall/proxy box and have been
unable to connect to a SonicWall VPN server from behind that box. This
problem seems to have come up several times in this newsgroup and
others but none of the posted suggestions have helped.

The connection is failing at the initial stage--the error is "The Peer
is not responding to phase 1 ISAKMP requests," which I understand to be
a generic error that doesn't give much insight into the problem.

The relevant rules on the proxy linux box are as follows:

iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

(where eth0 faces the WAN and eth1 faces the LAN).

So it's about as simple as you can get. I previously used a DSL router
to do NAT and that worked fine without any special configuration--so
what is different in my simple iptables setup from that router?

I was informed by sysadmin that UDP port 500 needs to be forwarded, so
I tried this additionally:

iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

and also:

iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT

But none of those additional rules affected the result. I'm not even
clear why they would be necessary if the proxy is forwarding all
packets.

I'd appreciate any advice about how to troubleshoot this.

(In case it's not obvious--the SonicWALL VPN Client is running on a
Windows box).

Running Debian sarge, kernel 2.6.8.