TCP doesn't enter into it, and NATted IPsec uses UDP port 4500. Also, one end-point (usually the "hub" of your star topology) can have a fixed address, and everything else can be dynamic. In that case, only the spokes of the star would initiative connections (because the hub obviously wouldn't know how to address them).
On 10/18/2009 07:28 PM, Tom Mazzotta wrote: > Darrick, > > Thanks for the reply. The reason I need the info is that one of the end > points uses a Verizon DSL pipe where the WAN address that they give us is a > non-routable IP. I have been able to manage this box remotely by configuring > the Verizon virtual firewall GUI to port forward TCP 443 & 22 to the WAN i/f > of the astlinux box. I would like to setup an IPsec tunnel between this box > and another astlinux box (which has a routable WAN IP), but I need to > configure the port forwarding for this to work with Verizon's DSL. After some > Google searches it looks like I want UDP 500 and TCP 1723. Is this correct? > > I am aware of the requirement of static IP's for both endpoints. At the > moment, our IPS's are providing dynamic addressing on both ends, but I'm > happy to hard code the addresses that we have at the moment just for testing > purposes. > > Enjoy your vacation! > > -----Original Message----- > From: Darrick Hartman [mailto:dhart...@djhsolutions.com] > Sent: Sunday, October 18, 2009 8:21 PM > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] IPsec VPN > > Tom, > > The code that's in the 0.7 branch will automatically enable the > appropriate firewall plugin. For IPsec to currently work, you'll need > to have a static IP address (so this won't work on a residential > connection if your IP address changes frequently). In the future we may > support 'road-warrior' options. > > I'm on vacation this week. There are a few things we need to clean up > yet in the 0.7 branch before we're ready for a beta. The base works > great. If you build from the devel environment, you can safely take > what's in 0.7 and create a working image. You'll need to disable a few > of the default packages to get a small enough image at this point. > > Darrick > > Tom Mazzotta wrote: > >> When the astlinux box is behind a NAT, what ports/protocol do I need to >> forward to the box for IPsec to work with another astlinux box on the >> Internet? >> > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
