Topic: IPSEC pass thru support

[richard]

Can you tell me if the current version of internet gateway supports IPSEC pass thru. In short, I can use 1 IPSEC compatible client behind this firewall and connect to an external IPSEC gateway (non-e-smith) I know that there is an issue with IPSEC and masquarading, so I would imagine the answer is not but any information would be greatly appreciated.

Thanks

[Patrick C.]

I would love to know this as well. I have the same issue, I need to connect through the E-Smith server to a remote VPN server. Anyone have ideas? Anyone? Thanks.

[Ritchie Logan]

Here's what I had to do to get IPSEC going. The E-Smith folks nearly got IPSEC running out of the box, just need the addition of UDP 500 pass through. I've adapted some code that was posted earlier on how to either block or pass through port 80.... so apologies to the original author for my blatant pilfering!!

Do all the following and you should find yourself able to connect to an IPSEC server through the E-Smith box.

All lines beginning with ">" are command lines copy and past these.

Create the new template directories
>mkdir -p /etc/e-smith/templates-custom/etc
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d

Copy the existing templetes to the custom area
>cp -rp /etc/e-smith/templates/etc/rc.d/init.d/masq /etc/e-smith/templates-custom/etc/rc.d/init.d/

change to the custom directory
>cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Edit the file 45AllowIPSecMasq, and add the following line below the existing similar one (for the port 50 IP6CRYPT)
ipchains -I input -j ACCEPT -p udp -s 0/0 500

Expand the templates
>/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Tell e-smith to update the live config.
>/sbin/e-smith/signal-event remoteaccess-update

You don't even need to re-boot.... just try to connect from your client.

Let me know how you get on.

Ritchie

[Patrick C.]

Ritchie is the MAN!   Your solution worked perfect! Thanks so much!

[trevor]

Thanks.

It worked fine for me too. Made life very easy..

Trevor B

[Steve Leeke]

What is the equivalent to this for e-smith v4.0 (RH 6.1 base)?  This seems to be e-smith v4.1 specific.

[Kevin Brouelette]

I tried to put this in the relevent thread.

I have setup IPSec based on the doc's posted my Christopher Worthington,
and I'm having problems connecting the 2 gateways.

Here's the relevent text from 'ipsec'barf':


Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": prepare-client output: /usr/local/lib/ipsec/_updown: parameters unexpected
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": prepare-client command exited with status 2
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": route-client output: /usr/local/lib/ipsec/_updown: parameters unexpected
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": route-client command exited with status 2



I get this type of error on both gateways.
Thanks

Kevin

[Nick Orphan]

What do I do if I have no file 45AllowIPSecMasq in my masq directory, after doing the copy?

[Ritchie Logan]

Are you running E-Smith 4.1.2??

If not, then I think you'll need to upgrade.

Ritchie

[Brian Dall]

THANK YOU for the detailed instructions!  They worked for me.

Any security issues I should be aware of with the opening of this additional port?  

I know the IP addresses of the remote VPN servers.  Can I limit the opening of the ports to only those servers?

This gets a bit complicated with the Masq and everything else involved, and I THINK I understand what the changes did, but I'm not confident enough to risk tweaking it on my own.

-Brian

[DJ_Ramjet99]

Hi,

Is is possible for someone to post a screen dump of this file as no matter how I try entering the additional line, the template will not expand (missing operator errors, barewords etc) so suspect my syntax is wrong and I would love to get this humming.

[Arend]

I had those same errors initially.  I went back through the steps and noticed that I had placed the ipchains line in the 45AllowIPSecMasq file after a line that just had HERE in it.  I moved it above this line and the errors went away and vpn started working properly!

[[-TS-]Master_X]

Hi

I'm a newbie in Linux and I had to open udp port 9110 and found your tutorial. It works graet and i laernd more out of your tut then on a other way.

Thanks thanks

[Steve Leeke]

I'm running SonicWall's VPN client from PCs inside my e-smith LAN, connecting back to the office.

IPSec pass through works fine, but I've noticed that only one VPN client inside can work at a time - and to switch clients I've got to reboot the e-smith server!

Does anyone have an idea of what might be causing this?

Thanks,

Steve

[Simon Vetterli]

Hi Ritchie

in wich line I have to add

"Edit the file 45AllowIPSecMasq, and add the following line below the existing similar one (for the port 50 IP6CRYPT)

ipchains -I input -j ACCEPT -p udp -s 0/0 500"

And the other lines I leave?

Waiting for an answer.


Simon Vetterli