[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Max Horváth max.horvath at maxspot.de
Lun 12 Juin 04:19:09 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Okay, so that's the problem:

the original Linksys firmware doesn't use any (iptable) command to  
enable ipsec pass through ... it just uses a command to disable ipsec  
passthrough:

iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j DROP

So were should I be inserting the opposite command of it in the  
gateway source?

Any help very appreciated.

Cheers, Max!

Max Horváth wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Right now I gotta go to bed - tommorow morning I'll write which  
> commands are being used in the DD-WRT distro ... using them could  
> be all we need to use in the wifidog gateway ...
>
> Cheers, Max!
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Well, in DD-WRT IPsec pass through works by loading the modules  
>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded them ...  
>> and I also added the iptables commands to the normal forward and  
>> input rule - but it dosn't work - I guess it must be done directly  
>> in the wifidog gateway ...
>>
>> Mina Naguib wrote:
>>
>>>
>>> I believe CISCO's client is an IPSEC implementation.  Last time I  
>>> played with IPSEC my blood pressure shot through the roof.
>>>
>>> I'm in no position to preach to end-users and their employers  
>>> about the neatness of OpenVPN, so I won't even go there.
>>>
>>> Simply put, IPSEC is not exactly typical-end-user-behind-a-NAT  
>>> friendly (standard rewriting problems where the protocol depends  
>>> on IP addresses coded inside the packet payload itself - remember  
>>> how active FTP broke behind NAT until the linux kernel became  
>>> "ftp-aware"?)
>>>
>>> In the official Linksys firmware there's an "IPSEC PassThrough"  
>>> checkbox that addresses this issue.  I'm not sure what the  
>>> OpenWRT equivalent would be.
>>>
>>> On 11-Jun-06, at 4:53 PM, Max Horváth wrote:
>>>> Hey folks,
>>>>
>>>> we got huge problems with people wanting to use their Cisco VPN  
>>>> client. It just doesn't connect to the VPN server.
>>>>
>>>> I guess it's a problem with the iptables command of the gateway.
>>>>
>>>> How could this problem be solved?
>>>>
>>>> Cheers, Max!
>>>
>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjJQy+BKgC+eQ3ooRAiPCAJ9HUom0eJxgtHTXKYr2t8uPO2IUugCfRQj5
>> MdIHSDw5wkRghqQigrppQ7Y=
>> =djzu
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjJXk+BKgC+eQ3ooRAlgvAKCJZWz3wWvn9S1b/WtKWzVhcRyzoACdHxwY
> r9h+L5VAneIwvjBKfq47cMs=
> =lXV9
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEjSN++BKgC+eQ3ooRArg7AJwLdgw4E9CUBNqt55Z1U+mebTMaaACcDM7i
gKFdWU1zP/GDI5QhFNOqjB0=
=zH5z
-----END PGP SIGNATURE-----


More information about the WiFiDog mailing list