Colin Helliwell wrote:
It sounds like you need VPN Masquerading. See the VPN_Masquerade_HOWTO at linuxdoc for a general reference on how to set this up. If you're using the floppy version of Dachstein, the kernel is already setup with the VPN Masquerade patches, so you should be set. The initial IKE exchange should happen between UDP ports 500 on both the near and far end, then the actual IPSec traffic (protocol 50 or 51) will get masqueraded by the kernel module (ip_masq_ipsec.o), which you can get from my site if you don't have it already:I have an LRP box (running a Dachstein distribution) which has been working fine for months doing the 'basic' internet access stuff. I now have a Cisco VPN client installed on my company laptop and am having trouble getting it to work through the router to the company server - it is currently failing in the initial 'IKE' negotiation phase, from what I can tell. Could anyone please advise on what configuration changes would be needed to LRP and its filter rules etc to get it connecting? The client software is configured to use UDP rather than TCP. I have looked at a load of howto's and previous postings, but they mostly seem to refer to when the router box is one end of the VPN which I don't think applies in my case - I just need it to route the traffic between my client and company server.Any advice much appreciated.
http://lrp.steinkuehler.net/files/kernels/Dachstein-small/modules/ipv4/ip_masq_ipsec.o
WARNING: The IPSec masquerade patch (ip_masq_ipsec.o) and kernel level support for IPSec (ipsec.o, used if the firewall is a VPN gateway) are mutually exclusive. You have to make sure the kernel you're using is properly configured for the "flavor" of VPN you want to run (masqueradeing VPN connections, or running IPSec on the firewall itslef). *ALL* Dachstein kernels have the VPN_Masquerade patches applied, but those kernels with -IPSec in the name support IPSec on the firewall, which means they can't masquerade ipsec traffic with ip_masq_ipsec...other VPN protocols, such as pptp, however, can still be masqueraded).
Anyway, in addition to loading the ip_masq_ipsec.o module, you'll need to properly configure your VPN description on both ends. This can get to be a bit confusing, since you need to load the IP address of your firewall, rather than your laptop, in a couple of places. That's probably why the IKE exchange, which uses already masqueraded UDP 500 traffic is failing.
Look over the VPN Masquerade HOWTO, make sure you're using the right kernel, and holler if you run into problems getting everything working.
http://www.tldp.org/HOWTO/VPN-Masquerade-HOWTO.html
One more WARNING: You will not be able to masquerade AH (Authenticated Header...protocol 51) VPN Traffic, if that's what your IPSec client is setup to use. This protocol authenticates *EVERYTHING* in the IP packet, including the IP header (with it's source and destination IP's), so masquerading (which replaces the source and/or destination IP field in the header) invalidates the packets. The more commenly used ESP (protocol 50) only authenticates the data portion of the IP packet, and can be successfully masqueraded.
--
Charles Steinkuehler
[EMAIL PROTECTED]
-------------------------------------------------------
This SF.NET email is sponsored by: Order your Holiday Geek Presents Now!
Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap,
MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty.
T H I N K G E E K . C O M http://www.thinkgeek.com/sf/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
