Topic: IPSEC pass thru support

[Ritchie Logan]

Here is a complete dump of my modified 45AllowIPSecMasq file. Everything between the "CUT HERE" lines. Note the line with "HERE" on it's own. To qualify what I said in the original post, add the extra line IMMEDIATELY BELOW the existing one.

This should sort out DJ Ramjet and Simon.


==============CUT HERE==========================
{
    local %services = ( masq => $masq );

    my $me = "ipsec";

    my $status = db_get_prop(\%services, 'masq', 'status') || "disabled";
    my $loadme = db_get_prop(\%services, 'masq', $me) || "yes";

    if ( ($status eq "enabled") and ($loadme eq "yes") )
    {
        $OUT = <<'HERE';
    # Accept incoming ESP packets
    # Don't bother about AH packets here, as you can't masq them
    /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT

    #added by Ritchie 31/05/2001 to allow VPN Client to function
    /sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET 500 -j ACCEPT
HERE
    }
}
==============CUT HERE==========================

[Ritchie Logan]

Brian Dall,

If you know the IP address of the IPSEC server you are connecting to, then it is feasible that you restrict the incoming IP address in the ipchains command. I haven't really looked at the syntax since May, so I've forgotten it precisely but I think you would replace the 0/0 in BOTH ipchains commands in the 45AllowIPSecMasq file with the IP address of your server.

Check the ipchains HOWTO to be sure you get the syntax right - if you really feel the need to do this...... HOWEVER.....

IPSEC VPN clients are inherently secure in that you REQUEST connection from your client, to a specific server. I can't see how the opening of these ports to the outside world would make your machine vulnerable to attack. Anyone care to comment on this???

Has anyone upgraded to V5.00 yet...... I did post a bug report back in May, so I'm wondering whether this has been fixed in the distro??

Cheers

Ritchie

PS sorry for delays, I've moved house recently and my CM has not yet been reconnected.

[Ritchie Logan]

Steve Leeke,

I have had 2 clients behind my firewall connect at the same time with no problems, and no requirement to re-boot at any point. I use the Nortel Extranet Client. Note that these were 2 DIFFERENT clients and users.... my connection, and one of my colleagues. I cannot run 2 concurrent sessions with a single ID from home into the office (ie from 2 different PCs at home), the Nortel Client returns a "Maximum Sessions Reached" error.

Before I switched to E-Smith I was using another server solution, and to achieve VPN connectivity, I used port forwarding rather than masq'ing. The result was that ALL IPSEC traffic (arriving on port 50 and UDP 500 ) was forwarded to a single internal IP address. This meant that only the client running on that IP address was able to connect. One of the major benefits of the E-Smith setup we have here, is that the IPSEC traffic is properly NAT'd and masq'd, meaning that no matter what IP address, or how many clients you have running you should have no problems connecting to a standard setup. Please note that it

As long as you have impemented the setup as above, then I'm afraid I have no idea why you should have these problems.

Ritchie

[Simon Vetterli]

VPN is working now!!

I tried out for long time to work with E-Smith-Server, Version 4.1.2 and now with SME 5 and as client with Windows 95, Windows 98 and Windows 98SE.

With these clients I didn't get any connection over VPN. I think in also in the latest DUN (V1.4, USA/Canada-Version) it's still have some bug's.

Today morning I tried out with Windows ME, without any special downloads.

And it's work fine, OK, I had a very slow connection (19200 bps)...

The settings I used on the clients was:

- One Dial-Up for Internet (eg. over Sunrise/Diax (in Switzerland))
- One Dial-UP for VPN with the follow settings:

  General:

  VPN-Server: IP-adress You see from outside the network
  Microsoft VPN-Adapter

  Security:
  Login-Name/Password as used on the VPN-Server
  Domaine: as used for the LAN, where the VPN-Server is connected

  Logon on Network enabled
  Encryted Password? enabled

If You have any question, please let me know.

Thanks Simon

[Dany]

I'm using 4.1.2 and an external CISCO 3000 with a Client (WIN2K) running behind E-smith.
I've followed the indication (http://forums.contribs.org/index.php?topic=1855.msg6169#msg6169) , I can pass the authentication and it sounds like I'm connected but I can't reach any server (IP address or name).

If I disconnect the E-smith box and hook-up directly this machine to my cable modem... it works so I assume that my client is OK !

Any idea on what to check or enable in order to see something working ?

It's so frustrating to be connected to this VPN and not able to do anything.




PS2: Do not hesitate to copy any response to my email address.

[Doug McCaughan]

As this is an old thread, would the same fix above apply to SME 5.5?

[Doug McCaughan]

ok. I see in 5.5 they've added Ritchie fix.

The VPN seems to establish itself. Windows Remote Desktop Connection (the new Terminal Services client) times out.

Would anyone know if this is related?

Thanks.
Doug