IPv6 readyNote: This archive passes through spamassassin. Every mail marked with the subject "*****SPAM*****" has exceed a certain threshold of spam-like behaviour.

[Users] IPSec *VPN), NAT, and IpTables - help.

From: punk (punk_at_sskid.org)
Date: Fri May 17 2002 - 20:07:14 CEST

Hello all,

I'm attempting to build a vpn between 2 Firewall Gateways, both of which
do NAT and supply private addresses to all gateway clients via DHCP.
My problem is that I can't seem to get IPSec to work correctly. It's
probably just my ipsec.conf of firewall rules. The ultimate goal of the
project is to allow several offices, connected through a firewall
gateway, connect to a main DataCenter network via a vpn. So far I can't
seem to be able to ping the address of one private subnet from another
private subnet. Any help would be greatly appreciated.

Here is my Ipsec.conf:

config setup
        interfaces="%defaultroute"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        uniqueids=yes

conn datacenter-anywhere
        left=209.x.x.x # IP of The DataCenter
        leftsubnet=192.168.10.0/24 # Subnet of the Datacenter
        right=%any # Any other machine (offices)
        rightsubnet=192.168.20.0/24 # Subnet of offices (will change #
per office)
        keyingtries=0
        auth=ah
        auto=start

To my understanding, I should use the exact same ipsec.conf ( and
ipsec.secrets) file on both firewall gateways? Correct ?

And Here are my iptable rules:

#-----------------------------------------------------------------
# Flushing the chains.
iptables -F
iptables -t nat -F
iptables -X
iptables -Z

#-----------------------------------------------------------------
# Policy for chains: DROP everything
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow local device trafic
iptables -A OUTPUT -p ALL -o lo -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT

# NAT Stuff
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ipsec+ -j MASQUERADE

iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state NEW -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW,INVALID -i eth0 -j DROP

# Ping and friends.
iptables -A OUTPUT -p icmp -j ACCEPT # to both sides.
iptables -A INPUT -p icmp -j ACCEPT

# And also, DHCP, but we can basically accept anything from the inside.
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT

#-----------------------------------------------------------------
# Allow IPsec
# IKE negotiations
iptables -A INPUT -p udp -i eth0 --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --sport 500 --dport 500 -j ACCEPT

# ESP encrypton and authentication
iptables -A INPUT -p 50 -i eth0 -j ACCEPT
iptables -A OUTPUT -p 50 -o eth0 -j ACCEPT

# AH authentication header
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT

echo 7 > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

-Da Punk

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.3 : Mon Jul 29 2002 - 05:20:03 CEST