From: Shyamal Thatte (sthatte_at_madasafish.com)
Date: Sat Dec 28 2002 - 09:52:03 CET
Hello again,
Julio,
you are right about me wanting to use the alias. But am using a
road warrior like configuration as my access to the outside world is by dial-up
so the interface in my case is ppp0. Also could you please tell me how to open up
UDP port 500
Have added the following lne to the /etc/ppp/firewall-standalone file
ipchains -A input -l -i $EXTIF -d $ANY 500 -p udp -j ALLOW
but it does not seem to work.
I don't seem to have any iptables rules as
iptables -L (output is)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Doug,
Could you please tell me how you have implemented your solution, so can try it
out until CheckPoint provide some mechanism for connections from Linux. Tried the
CheckPoint beta for SecureClient but that is not what I need as we do not use policies.
Thanks for the information.
Regards
Shyamal
HI all,
I have Freeswan running in a few places but have never been able to get
it to hook up to Checkpoint. We run checkpoint at my office and one of
the options that was proposed by checkpoint was a site to site vpn, most
security officers are pretty down on this one. The secure remote client
provides some of the user authentication functionality which is missing
from a site to site setup. The secure remote clients that Checkpoint
uses are only really for roadwarriors, there isn't an equivilant
Unix/Linux product. We solved this problem for our unix guys with an
static natted SSH portal and used FW-1 to restrict what sites could
actaully even initiate a connection. This solved our unix client
problem, it's a little work but it does not have the complexity of
multipl site to site vpns.
There may be other options, if so I would love to hear them, this one
works for sure though if you need an interim solution.
Doug Leece
Calgary Alberta
-----Original Message-----
From: jsa62_at_tid.es <mailto:jsa62_at_tid.es> [mailto:jsa62_at_tid.es <mailto:jsa62_at_tid.es>]
Sent: Thursday, December 26, 2002 2:51 PM
To: users_at_lists.freeswan.org <mailto:users_at_lists.freeswan.org>
Subject: Re: [VF][Users] Checkpoint FW1 and FreeSwan 1.99
Hello Shyamal..
let me see if i have understood well..
you dont really have that ip 192.168.168.168 so you have created an ip
alias on the interface.. isnt it?? i do ip alias on interfaces by doing
ifconfig eth0:1 12.12.12.12 netmask 255.255.255.252 up for example...
It also seems, looking at the ipsec verify output, it seems that you
have locally closed udp port number 500, because is puts BLOCKED ..
maybe you have iptables rules for denying or better not accept udp
traffic on that port .. needed for ike interchange..
i dont really know if freeswan accepts interface alias .. but the output
when you try to enable the connection seems to be a problem of that
kind seems to be a problem with left or right directives.
Hope it helps.
Cheers
-------------
Julio Saura Alejandre
Servicios Ip de Banda Ancha
Telef髇ica I+D (913374993)
------------------------------------------------------------------------
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Dec 29 2002 - 05:21:19 CET