Koozali.org: home of the SME Server

Legacy Forums => Experienced User Forum => Topic started by: Russell Johnston on April 28, 2002, 07:59:22 PM

Title: Protocol Fowarding for IPSec client
Post by: Russell Johnston on April 28, 2002, 07:59:22 PM

I want to port and Protocol forward to a specific box on my network on which I run a Nortel Networks IPSec client for VPN access to my employer's corporate network. I believe I need to direct all traffic with PROTOCOL numbers 47 (GRE), 50 (ESP), and 51 (AH) to this box, and also map across port 500 (IKE) using UDP. Can e-smith (or the underlying RedHat) protocol forward in this manner? And is specific destination address header re-writing necessary for incoming UDP packets or will it "know" from previous outbound traffic?

Title: Re: Protocol Fowarding for IPSec client
Post by: JD on April 29, 2002, 07:03:53 AM

I also use the Nortel EOC to get to my company's network.
My setup is strictly 3DES with MD5 - there is no AH for my user tunnel.

The SME will correctly allow my workstation to create
a tunnel to my company's host ... without any modification
to IPCHAINS - but I did have to load the ip_masq_ipsec.o
file.

 added the following to the /etc/rc.local file
   insmod /lib/modules/2.2.19-7.0.8/ipv4/ip_masq_ipsec.o
   echo 7 > /proc/sys/net/ipv4/ip_dynaddr

which will always load the ip_masq_ipsec module during boot-up and supports dynamic IP addresses provided by your ISP.

IF YOUR COMPANY REQUIRES AH AND YOU DON'T HAVE DEDICATED (static) IP ADDRESSES - the tunnel will never activate as the AH protocol can NOT be NAT'd by the gateway.

Hope this info helps ....
  my SME box supports multiple users - OK

>>JD<<

Title: Re: Protocol Fowarding for IPSec client
Post by: Russell Johnston on April 30, 2002, 04:27:28 AM

Very many thanks. It works perfectly, also for multiple machines on my LAN which I had previously thought impossible! I am a little amazed to be honest - I had so much trouble getting this to work for just one PC with my previous Windows system...

-Russell.

Title: Re: Protocol Fowarding for IPSec client
Post by: Shad on May 01, 2002, 03:28:50 AM

The easier way it to issue the following commands:

/sbin/e-smith/config setprop masq ipsec yes
/sbin/e-smith/signal-event remoteaccess-update

-Shad

Title: Re: Protocol Fowarding for IPSec client
Post by: g7pkf on September 18, 2003, 02:41:01 PM

I used the simple way as above and it worked until last monday week, now it has stopped working, snort isnt showing anything regarding this connection

I plugged my laptop into the cable modem directly and i can quite happily connect to my works vpn can anyone give me any ideas as to whats happening please? anything else i should check?
this is a test system running sme 6.0 beta 2