From: jsa62_at_tid.es
Date: Sat Dec 28 2002 - 12:36:51 CET
Hello Shymal ..
ok,, i see you are using aliasing know ...what i was really trying to
say is that if you are using an ip which is virtual you have to have it
on your ifconfig -a output on the interface you really need it .. do you
put it by hand or is negociated by the ppp connection to your office??
Regarding to the iptables ..
why do you add the rule using ipchains command and then trying to
display it unsing iptables -L ?? are you using ipchains as an iptables
wrapper???
you should better use iptables directly , the line should be this one :
[root_at_ankh-morpork root]# iptables -A INPUT -i eth0 -s 0/0 -d 0/0 -p udp
--dport 500 -j ACCEPT
[root_at_ankh-morpork root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root_at_ankh-morpork root]#
try that sintaxis ... that one worked for me ... depending of which
linux distro you have the script for auto load that rule is different,
so try to adapt you script to this valid iptables sintaxis
i have redhat 8.0 and then i have all rules on /etc/sysconfig/iptables...
Once you have defined all iptables rules type the command iptables-save
.. that command will output the script for writting correctly the
/etc/sysconfig/iptables file ... then configure iptables service to be
launched at boot time...
this is the way redhat does iptables .... i dont know your distro but i
bet my car it will be slightly different ;)
My case is more simple that yours ... i have an adsl modem performing
nat and behind it the freeswan gateway with private ip addressing .. so
the only thig i have to do is perform NAT-T ... i am on holiday now, i
will try your case when i`ll be back to job . i have severals nokia's
with firewall-1 ... i am looking forward to put my hands on doing ipsec
vpn trough firewall-1 ;)
Hope it helps
Cheers!! :)
----- Original Message -----
From: Shyamal Thatte <sthatte_at_madasafish.com>
Date: Saturday, December 28, 2002 7:52 am
Subject: Re: [VF][Users] Checkpoint FW1 and FreeSwan 1.99
> Hello again,
>
> Julio,
>
> you are right about me wanting to use the alias. But am using a
> road warrior like configuration as my access to the outside world
> is by dial-up
> so the interface in my case is ppp0. Also could you please tell me
> how to open up
> UDP port 500
> Have added the following lne to the /etc/ppp/firewall-standalone file
> ipchains -A input -l -i $EXTIF -d $ANY 500 -p udp -j ALLOW
> but it does not seem to work.
>
> I don't seem to have any iptables rules as
> iptables -L (output is)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Doug,
>
> Could you please tell me how you have implemented your solution, so
> can try it
> out until CheckPoint provide some mechanism for connections from
> Linux. Tried the
> CheckPoint beta for SecureClient but that is not what I need as we
> do not use policies.
>
> Thanks for the information.
>
> Regards
> Shyamal
>
>
>
> HI all,
>
> I have Freeswan running in a few places but have never been able to
> getit to hook up to Checkpoint. We run checkpoint at my office and
> one of
> the options that was proposed by checkpoint was a site to site vpn,
> mostsecurity officers are pretty down on this one. The secure
> remote client
> provides some of the user authentication functionality which is
> missingfrom a site to site setup. The secure remote clients that
> Checkpointuses are only really for roadwarriors, there isn't an
> equivilantUnix/Linux product. We solved this problem for our unix
> guys with an
> static natted SSH portal and used FW-1 to restrict what sites could
> actaully even initiate a connection. This solved our unix client
> problem, it's a little work but it does not have the complexity of
> multipl site to site vpns.
>
> There may be other options, if so I would love to hear them, this one
> works for sure though if you need an interim solution.
>
> Doug Leece
> Calgary Alberta
>
>
> -----Original Message-----
> From: jsa62_at_tid.es <mailto:jsa62_at_tid.es> [mailto:jsa62_at_tid.es
> <mailto:jsa62_at_tid.es>]Sent: Thursday, December 26, 2002 2:51 PM
> To: users_at_lists.freeswan.org <mailto:users_at_lists.freeswan.org>
> Subject: Re: [VF][Users] Checkpoint FW1 and FreeSwan 1.99
>
>
> Hello Shyamal..
>
> let me see if i have understood well..
>
> you dont really have that ip 192.168.168.168 so you have created an ip
> alias on the interface.. isnt it?? i do ip alias on interfaces by
> doingifconfig eth0:1 12.12.12.12 netmask 255.255.255.252 up for
> example...
>
> It also seems, looking at the ipsec verify output, it seems that you
> have locally closed udp port number 500, because is puts BLOCKED ..
> maybe you have iptables rules for denying or better not accept udp
> traffic on that port .. needed for ike interchange..
>
> i dont really know if freeswan accepts interface alias .. but the
> output when you try to enable the connection seems to be a problem
> of that
> kind seems to be a problem with left or right directives.
>
> Hope it helps.
>
> Cheers
> -------------
> Julio Saura Alejandre
> Servicios Ip de Banda Ancha
> Telefónica I+D (913374993)
>
>
> --------------------------------------------------------------------
> ----
>
> _______________________________________________
> Users mailing list
> Users_at_lists.freeswan.org
> http://lists.freeswan.org/mailman/listinfo/users
> _______________________________________________
> Ipsec-users mailing list
> Ipsec-users_at_tossell.net
> http://lists.tossell.net/lists/listinfo/ipsec-users
>
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Sun Dec 29 2002 - 05:21:19 CET