[ale] IPSec VPN?
Wandered Inn
esoteric at denali.atlnet.com
Tue May 29 21:10:50 EDT 2001
"Robert L. Harris" wrote:
>
> I remember see'ing the mods. I'll need to recompile my kernel. Can
> you send me your scripts?
Here're the chains that are pertinent to ipsec as well as the insmod
line:
/sbin/modprobe ip_masq_ipsec
# I had to duplicate these lines for each possible vpn server ip.
VPN_SVR=IP_ADDR_OF_VPN_SRV
$IPCHAINS -A forward -j MASQ -p udp -s 172.16.10.201/32 500 \
-d $VPN_SVR/32 500 -i ppp0
$IPCHAINS -A output -j ACCEPT -p udp -s $IPADDR/24 500 \
-d $VPN_SVR/32 500 -i ppp0
$IPCHAINS -A input -j ACCEPT -p udp -s $VPN_SVR/32 500 \
-d $IPADDR/24 500 -i ppp0
$IPCHAINS -A forward -j MASQ -p 50 -s 172.16.10.201/32 \
-d $VPN_SVR/32 -i ppp0
$IPCHAINS -A output -j ACCEPT -p 50 -s $IPADDR/24 \
-d $VPN_SVR/32 -i ppp0
$IPCHAINS -A input -j ACCEPT -p 50 -s $VPN_SVR/32 \
-d $IPADDR/24 -i ppp0
>
> Robert
>
> Thus spake Wandered Inn (esoteric at denali.atlnet.com):
>
> > "Joseph A. Knapka" wrote:
> >
> > > I'm not sure if this is actually going to work, but I can't see why
> > > it won't. Of course, you can't masquerade IPsec packets, because the
> > > firewall doesn't know how to compute the checksums appropriately,
> > > since they're encrypted with a key the masq firewall doesn't know (I
> > > think), but forwarding packets without masqerading them should not
> > > cause any trouble. I'll let you know how it goes.
> >
> > Actually, there are modules to permit you to deal with ipsec. I
> > currently have two different vpn solutions for work, one is pptp, the
> > other ipsec. Both are connecting to corporate networks through my
> > masq/nat firewall setup. Both work fine.
> >
> > If you read the firewall, ipsec and vpn howtos, you can set this up.
> > I'd be glad to share my ipchains that do the ipsec and or pptp stuff
> > with anyone that is interested. You'll need the mods too though.
> >
> > >
> > > -- Joe
> > >
> > >
> > > -- Joseph A. Knapka
> > > "If I ever get reincarnated... let me make certain I don't come back
> > > as a paperclip." -- protagonist, H Murakami's "Hard-boiled Wonderland"
> > > // Linux MM Documentation in progress:
> > > // http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
> > > * Evolution is an "unproven theory" in the same sense that gravity is. *
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >
> > --
> > Until later: Geoffrey esoteric at denali.atlnet.com
> >
> > "Great spirits have always found violent opposition from mediocre minds.
> > The
> > latter cannot understand it when a man does not thoughtlessly submit to
> > hereditary prejudices but honestly and courageously uses his
> > intelligence."
> > - Albert Einstein
>
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris | Micros~1 :
> Senior System Engineer | For when quality, reliability
> at RnD Consulting | and security just aren't
> \_ that important!
> DISCLAIMER:
> These are MY OPINIONS ALONE. I speak for no-one else.
> FYI:
> perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
--
Until later: Geoffrey esoteric at denali.atlnet.com
"Great spirits have always found violent opposition from mediocre minds.
The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his
intelligence."
- Albert Einstein
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list