Don:
Heya. Easiest thing to do is grab the echowalll.lrp
package and setup your IPSEC_HOST as per the instructions in
the README.
To answer your questions...yes, Dachstein (and the others)
can "masq" and "forward" an IPSec connection much like any other
sorta connection *provided* that you have a "VPN kernel" running
(eg, Dachstein-normal or Eiger-VPNMasq from Charles' site) along
with the ip_masq_ipsec.o kernel module loaded. If these are enabled,
your firewall needs to allow *protocol* 50 (not *port* 50) thru, as
well as UDP port-500. Finally, to forward the packets on to an
internal machine, you need to use the "ipfwd" utility which can
handle IP protocol 50, rather than the more common "ipmasqadm"
which only handles IP protocols 6 and 17 (TCP and UDP, respectively) .
If you have all 5 of those in place, you can run a VPN client behind
your LEAF firewall/router.
It's easier than it sounds, honest. Am doing it here right
now, in fact. :)
Good luck!
-Scott
> Alec Miller wrote:
> >
> > I have had no luck with the Nortel Access Client working thru the Eiger
> > images. I just had to convince my firewall expert to make an IPSec
> > connection to the actual LRP box from the corporate firewall, but it helps
> > if you work in the IT dept.
> >
> > I do have a friend that got his Nortel Access Client working thru the
> > Oxygen? (not exactly 100% sure) image.
> >
> > ----- Original Message -----
> > From: Don <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, November 14, 2001 3:23 PM
> > Subject: [Leaf-user] Outbound VPN
> >
> > Hello,
> >
> > I've recently installed Dachstein RC2. Is this version able to masq an ipsec
> > type of VPN connection? Are there any special IPChains rules that I need to
> > enable?
> >
> > I've confirmed that I can connect without the firewall, but cannot from the
> > inside. When I try to connect I can see port 500 being blocked in the log
> > through the weblet interface, then the firewall status goes to "warning".
> >
> > The VPN software is Nortel's Extranet Access Client.
> >
>
> You need to open port 50 & 500; the relevent code in my firewall
> is:
>
> at the top of the input chains
>
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p udp -s $VPNHOST1 500 -d $EXTIP
> /sbin/ipchains -A input -j ACCEPT -i $EXTIF -p 50 -s $VPNHOST1 -d $EXTIP
>
> at the top of the output chains
>
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p udp -s $EXTIP 500 -d $VPNHOST1
> /sbin/ipchains -A output -j ACCEPT -i $EXTIF -p 50 -s $EXTIP -d $VPNHOST1
>
> where: EXTIF is eth0 or the one on the internet
> EXTIP is the external ip assisgned by your ISP
> VPNHOST1 is the ip address of the remote Nortel host
>
> Also must have the VPN masq patch in the kernel
>
> Works fine for me under 3.0.?
>
> Best
>
> Cokey
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
