[isf-wifidog] Huge problems with Cisco VPN (IPsec)

ian.white at datamile-computers.com ian.white at datamile-computers.com
Lun 12 Juin 04:26:55 EDT 2006 

Well according to the openwrt thread you posted to..

http://forum.openwrt.org/viewtopic.php?id=5918

"IMHO for being sure about what kind of traffic / port you have to forward
you should try intalling tcpdump on your wrt (ipkg install tcpdump) and
try to see what happens when you try to connect with your vpn client.

Probabily if ipsec-over-udp is used you should add something like this in
/etc/firewall.user

iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 500 -j  DNAT
--to-destination your.client.ip

iptables        -A input_rule      -i $WAN -p udp --dport 500 -j ACCEPT"

or

Code:
### Tunnel PPTP, VPN
iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j ACCEPT
iptables        -A output_rule             -p 47               -j ACCEPT
iptables        -A input_rule              -p 47               -j ACCEPT
iptables        -A forwarding_rule         -s 192.168.0.0/24 -d
192.168.0.0/24 -j ACCEPT
iptables        -A output_rule     -o ppp+ -s 192.168.0.0/24 -d
192.168.0.0/24 -j ACCEPT
iptables        -A input_rule      -i ppp+ -s 192.168.0.0/24 -d
192.168.0.0/24 -j ACCEPT
iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT



> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Okay, so that's the problem:
>
> the original Linksys firmware doesn't use any (iptable) command to
> enable ipsec pass through ... it just uses a command to disable ipsec
> passthrough:
>
> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j DROP
>
> So were should I be inserting the opposite command of it in the
> gateway source?
>
> Any help very appreciated.
>
> Cheers, Max!
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Right now I gotta go to bed - tommorow morning I'll write which
>> commands are being used in the DD-WRT distro ... using them could
>> be all we need to use in the wifidog gateway ...
>>
>> Cheers, Max!
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded them ...
>>> and I also added the iptables commands to the normal forward and
>>> input rule - but it dosn't work - I guess it must be done directly
>>> in the wifidog gateway ...
>>>
>>> Mina Naguib wrote:
>>>
>>>>
>>>> I believe CISCO's client is an IPSEC implementation.  Last time I
>>>> played with IPSEC my blood pressure shot through the roof.
>>>>
>>>> I'm in no position to preach to end-users and their employers
>>>> about the neatness of OpenVPN, so I won't even go there.
>>>>
>>>> Simply put, IPSEC is not exactly typical-end-user-behind-a-NAT
>>>> friendly (standard rewriting problems where the protocol depends
>>>> on IP addresses coded inside the packet payload itself - remember
>>>> how active FTP broke behind NAT until the linux kernel became
>>>> "ftp-aware"?)
>>>>
>>>> In the official Linksys firmware there's an "IPSEC PassThrough"
>>>> checkbox that addresses this issue.  I'm not sure what the
>>>> OpenWRT equivalent would be.
>>>>
>>>> On 11-Jun-06, at 4:53 PM, Max Horváth wrote:
>>>>> Hey folks,
>>>>>
>>>>> we got huge problems with people wanting to use their Cisco VPN
>>>>> client. It just doesn't connect to the VPN server.
>>>>>
>>>>> I guess it's a problem with the iptables command of the gateway.
>>>>>
>>>>> How could this problem be solved?
>>>>>
>>>>> Cheers, Max!
>>>>
>>>>
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjJQy+BKgC+eQ3ooRAiPCAJ9HUom0eJxgtHTXKYr2t8uPO2IUugCfRQj5
>>> MdIHSDw5wkRghqQigrppQ7Y=
>>> =djzu
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjJXk+BKgC+eQ3ooRAlgvAKCJZWz3wWvn9S1b/WtKWzVhcRyzoACdHxwY
>> r9h+L5VAneIwvjBKfq47cMs=
>> =lXV9
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjSN++BKgC+eQ3ooRArg7AJwLdgw4E9CUBNqt55Z1U+mebTMaaACcDM7i
> gKFdWU1zP/GDI5QhFNOqjB0=
> =zH5z
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

More information about the WiFiDog mailing list