Hey Rich, Thanks so much for the help. I built a new disk, and everything seems to be working now! Thanks again for helping me out. I really appreciate it.
Chris Hackett -----Original Message----- From: Richard Burt [mailto:[EMAIL PROTECTED]] Sent: Monday, October 01, 2001 5:38 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] Masqueraded IPSec Client Yes the ip_masq_ipsec takes care of tracking the connections. Typically only one pc at a time on your internal net will be able to connect using ipsec. Otherwise it loses track of what goes where. Here is how I added the rules. In /etc/ipfilter.conf, I added the line below. I have included some previous lines so you can get your bearings. Note, I used 208.140.33.0/24 to limit the number of "good" addresses. My IPSec client uses a host inside that range. You could very well use 0.0.0.0 and it would work just fine. # Clear any garbage rules out of the filters ipfilter_flush # Set up Fair Queueing classifier lists ipfilter_fairq # Rule added to allow Protocol 50 for IPSEC forwarding $IPCH -I input -j ACCEPT -p 50 -s 208.140.33.0/24 -i eth0 Then in /etc/network.conf I added the same network to the end of UDP services open to the world. Again substitute 0/0. Note the underscore 500. That is what tells it port 500. UDP Services open to outside world # - srcip/mask_dstport # NOTE: bootpc port is used for dhcp client EXTERN_UDP_PORTS="0/0_domain 0/0_ntp 0/0_bootpc 208.140.33.0/24_500" Good luck. Rich Burt >From: Chris Hackett <[EMAIL PROTECTED]> >To: 'Richard Burt' <[EMAIL PROTECTED]>, Chris Hackett ><[EMAIL PROTECTED]> >CC: [EMAIL PROTECTED] >Subject: RE: [Leaf-user] Masqueraded IPSec Client >Date: Mon, 1 Oct 2001 16:21:16 -0400 >MIME-Version: 1.0 >Received: from [66.20.43.2] by hotmail.com (3.2) with ESMTP id >MHotMailBD821D0500594004325042142B02A1AE0; Mon, 01 Oct 2001 13:28:54 -0700 >Received: by A41XPDIR1 with Internet Mail Service (5.5.2650.21)id ><TNFSA34P>; Mon, 1 Oct 2001 16:21:16 -0400 >From [EMAIL PROTECTED] Mon, 01 Oct 2001 13:30:14 -0700 >Message-ID: <534C592576CDD41183760003470D389B2AECC6@A41XPDIR1> >X-Mailer: Internet Mail Service (5.5.2650.21) > >Thanks Rich! > >I'll give this a go when I get home this evening, and let you know how it >goes. Does the ip_masq_ipsec.o module handle the port forwarding that I'm >guessing is necessary for the UDP port 500 stuff? > >Also, if it isn't too much trouble, would you mind sharing with me your >rules that allow UDP port 500 and protocol 50? I'm thinking my syntax is >messed up. > >Thanks again Rich... > >Chris Hackett > >-----Original Message----- >From: Richard Burt [mailto:[EMAIL PROTECTED]] >Sent: Monday, October 01, 2001 3:37 PM >To: [EMAIL PROTECTED] >Cc: [EMAIL PROTECTED] >Subject: Re: [Leaf-user] Masqueraded IPSec Client > > >I have this setup working. Going from memory, you will need the vpn kernel >from Charles' site like the former post mentioned. After copying that >kernel to the floppy, you will need to replace all your modules. The >modules the floppy are not compatable with the vpn kernel. While you are >downloading those, get the ip_masq_ipsec module. Copy that to the floppy >and also tell it to load in the modules section. Then make 2 new firewall >rules. One to allow udp port 500 and one to allow protocol 50. No other >forwarding rules are necessary. > >Rich Burt > > > >On Mon, 1 Oct 2001, Chris Hackett wrote: > > >>Hello All, > >> > >>I'm guessing that my last post, titled "IPSec, LRP, FreeS/WAN, >RedCreek > >>Personal Ravlin" was too long and had too much information in it, >since I > >>haven't gotten any response. I think I'll try and get right to it. > >> > >>Can anyone help me figure out how to configure my LRP box >(EigerBeta2) to > >>allow IPSec traffic through it? I don't want to establish the IPSec >tunnel > >>on the box, but I want the box to allow the tunnel through it. > > >All I know is you need to use an IPSec-masqing-enabled kernel, for >example > >from Charles' kernel archives. You may find additional useful >information > >here: http://jixen.tripod.com/#NATed gateways. > > > >_________________________________________________________________ >Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
