[NCLUG] NAT/SNAT rules for Linux version 8 iptables for IPSec/VPN tunnels
Gabriel L. Somlo
somlo at acns.colostate.edu
Tue Dec 31 14:36:52 MST 2002
Hey shawnk,
Assuming the two ends of your ipsec tunnel are on the opposite sides
of your Linux firewall, you need to allow *forwarding* of ipsec
traffic, e.g.:
# ike key negotiation
iptables -A FORWARD -p udp --sport 500 --dport 500 -j ACCEPT
# ESP - the ipsec encrypted traffic itself
iptables -A FORWARD -p 50 -j ACCEPT
# you may need to also enable this, but it;s unlikely
# AH - the ipsec authenticated, but unencrypted traffic
iptables -A FORWARD -p 510 -j ACCEPT
Now, this being said, if your firewall does SNAT, you can only have
one IPSEC tunnel at any given time, which means you can only use one
box behind the NAT machine as a VPN client at any given time.
Also, if you want to run a VPN "server", i.e., something you connect
to from the outside, and it's not the NAT/firewall box itself, you'll
have to set up DNAT, i.e., any time you receive udp/500 or protocol
50/51 traffic from the outside, you need to forward it to the one
designated ipsec server on the inside. Nevermind this if all you want
is to connect to an external VPN box from a client behind your NAT
machine...
Another thing you may want to consider is having the NAT box itself be
the VPN "client", using something like freeswan (freeswan.org), and
then any box behind the firewall can talk to the network on the other
end of the VPN tunnel without needing to run any VPN software. Beware,
however, that freeswan is a bitch to set up when talking to anything
but another freeswan box. Reports exist of it talking to Windows
machines, Cisco VPN concentrators, etc., but from looking at them it
doesn't sound easy :)
Good luck,
Gabriel
On Tue, Dec 31, 2002 at 02:01:40PM -0700, Shawn Kaczmarek wrote:
> I have a Linux version 8 firewall with iptables set up just fine.
>
> I need to support a VPN tunnel from clients to servers.
>
> The machine certificates seem fine but the IPSec going through the firewall
> seems to be a problem.
>
>
> Does anyone have some iptables shell scripts that set up the firewall for
> VPNs?
>
> The VPN server is a Windows 2000 unit.
>
> Thanks much in advance.
>
> shawnk
>
> shawnk at verinet.com
>
> _______________________________________________
> NCLUG mailing list NCLUG at nclug.org
>
> To unsubscribe, subscribe, or modify your settings, go to:
> http://www.nclug.org/mailman/listinfo/nclug
More information about the NCLUG
mailing list