[isf-wifidog] Huge problems with Cisco VPN (IPsec)
Max Horváth
max.horvath at maxspot.de
Lun 12 Juin 04:19:09 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Okay, so that's the problem:
the original Linksys firmware doesn't use any (iptable) command to
enable ipsec pass through ... it just uses a command to disable ipsec
passthrough:
iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j DROP
So were should I be inserting the opposite command of it in the
gateway source?
Any help very appreciated.
Cheers, Max!
Max Horváth wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Right now I gotta go to bed - tommorow morning I'll write which
> commands are being used in the DD-WRT distro ... using them could
> be all we need to use in the wifidog gateway ...
>
> Cheers, Max!
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Well, in DD-WRT IPsec pass through works by loading the modules
>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded them ...
>> and I also added the iptables commands to the normal forward and
>> input rule - but it dosn't work - I guess it must be done directly
>> in the wifidog gateway ...
>>
>> Mina Naguib wrote:
>>
>>>
>>> I believe CISCO's client is an IPSEC implementation. Last time I
>>> played with IPSEC my blood pressure shot through the roof.
>>>
>>> I'm in no position to preach to end-users and their employers
>>> about the neatness of OpenVPN, so I won't even go there.
>>>
>>> Simply put, IPSEC is not exactly typical-end-user-behind-a-NAT
>>> friendly (standard rewriting problems where the protocol depends
>>> on IP addresses coded inside the packet payload itself - remember
>>> how active FTP broke behind NAT until the linux kernel became
>>> "ftp-aware"?)
>>>
>>> In the official Linksys firmware there's an "IPSEC PassThrough"
>>> checkbox that addresses this issue. I'm not sure what the
>>> OpenWRT equivalent would be.
>>>
>>> On 11-Jun-06, at 4:53 PM, Max Horváth wrote:
>>>> Hey folks,
>>>>
>>>> we got huge problems with people wanting to use their Cisco VPN
>>>> client. It just doesn't connect to the VPN server.
>>>>
>>>> I guess it's a problem with the iptables command of the gateway.
>>>>
>>>> How could this problem be solved?
>>>>
>>>> Cheers, Max!
>>>
>>>
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjJQy+BKgC+eQ3ooRAiPCAJ9HUom0eJxgtHTXKYr2t8uPO2IUugCfRQj5
>> MdIHSDw5wkRghqQigrppQ7Y=
>> =djzu
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjJXk+BKgC+eQ3ooRAlgvAKCJZWz3wWvn9S1b/WtKWzVhcRyzoACdHxwY
> r9h+L5VAneIwvjBKfq47cMs=
> =lXV9
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEjSN++BKgC+eQ3ooRArg7AJwLdgw4E9CUBNqt55Z1U+mebTMaaACcDM7i
gKFdWU1zP/GDI5QhFNOqjB0=
=zH5z
-----END PGP SIGNATURE-----
More information about the WiFiDog
mailing list