Topic: ipchains - IP protocol 50

[Michael Sidenius]

Hi,

Looking at my ipchains table (running 5.5) I noticed that there is an opening in my firewall from the outside on IP protocol 50.

Do anyone know what that is for ? (I have opened for SSH and PPTP, but to my best knowledge they do not use IP protocol 50).

What I actually intend to do is to punch a hole in my firewall allowing IP protocol 50 getting though (with NAT) and letting UDP port 500 getting through. This will be for at special VPN connection from an inside VPN router to a third-party outside network.

But if IP protocol 50 is used by some server in SME 5.5 I guess it could cause some trouble.

So, any clues ?

[schotty]

Well Port 50 is :

re-mail-ck       50/tcp    Remote Mail Checking Protocol
re-mail-ck       50/udp    Remote Mail Checking Protocol

[Michael Sidenius]

Schotty, thanks for your answer, but what I meant was:

IP "PROTOCOL" no. 50.

UDP and TCP are both PROTOCOLS (with no. 6 and 17 I think) and they use "PORTS".

From what I know IP PROTOCOL 50 is used to negotiate the IPSEC protocol setup, which will then run over the UDP protocol (and in this case using UDP PORT 500).

My question was about whether the SME server would use this IP Protocol 50 by itself or whether I could change my ipchains to let it through to the inside (by NAT) to my internal network.

Regards,
Michael

[Nathan Fowler]

Michael, are you wanting to redirect IPSec, or support the masquerading of IPSec?

Protocol 50 is ESP.  

"Encapsulating Security Payload (ESP) protocol, which is designed to provide a mix of security services in IPv4 and Ipv6. ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequenceintegrity), and limited traffic flow confidentiality"

From what I remember of my Linux IPSec experiences, you need to forward UDP 500 and Protcol 47 (GRE).

[Michael Sidenius]

Nathan,

I am trying to masquerade IPSec through the firewall.

I have a local VPN router that needs to connect to a remote peer, through my SME 5.5 server/firewall.

I did open for IP protocols 47,50,51,53 in the "forward" chain by "MASQ" in ipchains, as well as for UDP port 500 (but only from the known trusted IP to where I will connect).

The local VPN router trying to connect is complaining that the remote peer is not answering, and I suspect the firewall to block the answers from the remote peer.

I did test my "firewall punching" by ipchains -C and it tells me that the packets are masqueraded, but the router still can see them. Strange.

All ordinary packets (that is those not supposed to be IPSec tunnelled) go through the VPN router and then through the Firewall without problems (that is ping and WEB traffic). I can see my SME server through the VPN router and I can see the "wan leg" og the VPN router from my SME server and the rest of my local LAN, so that part is covered.

I guess I better go back checking the IPSec negitiation protocol and its numbers.

Michael

[Nathan Fowler]

From what I remember you had to actually port forward protocol 47/50 using a separate utility, because masquerading the protocol wasn't sufficient enough to establish a two-way connection.  I also had to forward 1723/500

I rememeber being in a similiar situation a few years ago, where I actually had to recompile my kernel after applying a patch.  I can't remember if it was on my 4.1.2 version of SMEor one older than that.  I believe the newest versions of SME support the masquerading of IPSEC without a problem, so you don't have to patch the kernel (http://www.linuxsecurity.com/docs/LDP/VPN-Masquerade-HOWTO-2.html#ss2.10)

The Linux VPN Masquerade how-to is located here:  http://www.linuxsecurity.com/docs/LDP/VPN-Masquerade-HOWTO.html

If you're looking for ipportfw, it's changed on your system to "ipmasqadm portfw"

Hope this helped,
Nathan

[Nathan Fowler]

Additionally, you need to follow the directions from:
ftp://ftp.rubyriver.com/pub/jhardin/masquerade/ip_masq_vpn.html

"To do this you will also need the ipportfw port-forwarding kernel patch and configuration tool for 2.0.xx kernels or the ipmasqadm utility for 2.2.xx kernels to forward the initial 500/udp ISAKMP key-exchange and/or 1723/tcp PPTP control channel traffic in to the server, and the IPFwd generic IP forwarding utility to forward the initial IPsec ESP and/or PPTP GRE traffic in to the server. Details are available in the VPN Masquerade HOWTO - please read it. "

More specifically:
You need to get and compile:  http://www.pdos.lcs.mit.edu/~cananian/Projects/IPfwd/

You already should have ipmasqadm on the system...

If you have any other questions let me know, I've been able to get this working but as I've said above, I had to actually apply some kernel patches, recompile, and do some tweaking to get everything up and running.  I'm under the impression the newer versions of SME already have the kernel patches applied, or the newer kernels do not require patching.

Hope this helped,
Nathan

[Michael Sidenius]

Thanks Nathan,

Something tells me I better do a little "home study" here, I thought it was just a matter of tveaking the the ipchains.

Anyhow, I will probaly get back to you when I have covered the basic theory.

Michael

[Charbel]

Hey everyone,

I am confused as to how the ESP and AH protocols work.  More specifically, I know it uses IP protocol 50 and 51, but which ports does it listen on?  Does ESP use port 50 for communication?  is it TCP/50?

Please help.

Thanks,

Charbel