[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Max Horváth max.horvath at maxspot.de
Lun 12 Juin 09:08:09 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Well according to the openwrt thread you posted to..
>
> http://forum.openwrt.org/viewtopic.php?id=5918
>
> "IMHO for being sure about what kind of traffic / port you have to  
> forward
> you should try intalling tcpdump on your wrt (ipkg install tcpdump)  
> and
> try to see what happens when you try to connect with your vpn client.
>
> Probabily if ipsec-over-udp is used you should add something like  
> this in
> /etc/firewall.user
>
> iptables -t nat -A prerouting_rule -i $WAN -p udp --dport 500 -j  DNAT
> --to-destination your.client.ip

Well, this command won't be usable, because we cannot decide to which  
ip to dnat ...


> iptables        -A input_rule      -i $WAN -p udp --dport 500 -j  
> ACCEPT"

Sure, but it doesn't help ...

> Code:
> ### Tunnel PPTP, VPN
> iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j  
> ACCEPT
> iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j  
> ACCEPT
> iptables        -A output_rule             -p 47               -j  
> ACCEPT
> iptables        -A input_rule              -p 47               -j  
> ACCEPT
> iptables        -A forwarding_rule         -s 192.168.0.0/24 -d
> 192.168.0.0/24 -j ACCEPT
> iptables        -A output_rule     -o ppp+ -s 192.168.0.0/24 -d
> 192.168.0.0/24 -j ACCEPT
> iptables        -A input_rule      -i ppp+ -s 192.168.0.0/24 -d
> 192.168.0.0/24 -j ACCEPT
> iptables        -A forwarding_rule -i ppp+ -o $WAN -j ACCEPT

Again, I don't think those rules aren't helpful ...

Mina, do you confirm, that we should be adding a line like

> iptables        -A input_rule      -i $WAN -p udp --dport 500 -j  
> ACCEPT"

and

> iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 1723 -j  
> ACCEPT
> iptables        -A input_rule      -i $WAN -p tcp --dport 1723 -j  
> ACCEPT
> iptables        -A output_rule             -p 47               -j  
> ACCEPT
> iptables        -A input_rule              -p 47               -j  
> ACCEPT

for each client being autheticated to the gateway?

IMO this should fix the issues ...

I'm just not to sure where to add the lines in the gateways source  
exactly. And I'm not too sure about which lines to use.

Unhappily I won't have time until tommorrow to work on / fix this  
issue by myself :( ...

Any help is very appreciated ...

Cheers, Max!

>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Okay, so that's the problem:
>>
>> the original Linksys firmware doesn't use any (iptable) command to
>> enable ipsec pass through ... it just uses a command to disable ipsec
>> passthrough:
>>
>> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j DROP
>>
>> So were should I be inserting the opposite command of it in the
>> gateway source?
>>
>> Any help very appreciated.
>>
>> Cheers, Max!
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Right now I gotta go to bed - tommorow morning I'll write which
>>> commands are being used in the DD-WRT distro ... using them could
>>> be all we need to use in the wifidog gateway ...
>>>
>>> Cheers, Max!
>>>
>>> Max Horváth wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded them ...
>>>> and I also added the iptables commands to the normal forward and
>>>> input rule - but it dosn't work - I guess it must be done directly
>>>> in the wifidog gateway ...
>>>>
>>>> Mina Naguib wrote:
>>>>
>>>>>
>>>>> I believe CISCO's client is an IPSEC implementation.  Last time I
>>>>> played with IPSEC my blood pressure shot through the roof.
>>>>>
>>>>> I'm in no position to preach to end-users and their employers
>>>>> about the neatness of OpenVPN, so I won't even go there.
>>>>>
>>>>> Simply put, IPSEC is not exactly typical-end-user-behind-a-NAT
>>>>> friendly (standard rewriting problems where the protocol depends
>>>>> on IP addresses coded inside the packet payload itself - remember
>>>>> how active FTP broke behind NAT until the linux kernel became
>>>>> "ftp-aware"?)
>>>>>
>>>>> In the official Linksys firmware there's an "IPSEC PassThrough"
>>>>> checkbox that addresses this issue.  I'm not sure what the
>>>>> OpenWRT equivalent would be.
>>>>>
>>>>> On 11-Jun-06, at 4:53 PM, Max Horváth wrote:
>>>>>> Hey folks,
>>>>>>
>>>>>> we got huge problems with people wanting to use their Cisco VPN
>>>>>> client. It just doesn't connect to the VPN server.
>>>>>>
>>>>>> I guess it's a problem with the iptables command of the gateway.
>>>>>>
>>>>>> How could this problem be solved?
>>>>>>
>>>>>> Cheers, Max!
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> WiFiDog mailing list
>>>>> WiFiDog at listes.ilesansfil.org
>>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.1 (Darwin)
>>>>
>>>> iD8DBQFEjJQy+BKgC+eQ3ooRAiPCAJ9HUom0eJxgtHTXKYr2t8uPO2IUugCfRQj5
>>>> MdIHSDw5wkRghqQigrppQ7Y=
>>>> =djzu
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjJXk+BKgC+eQ3ooRAlgvAKCJZWz3wWvn9S1b/WtKWzVhcRyzoACdHxwY
>>> r9h+L5VAneIwvjBKfq47cMs=
>>> =lXV9
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjSN++BKgC+eQ3ooRArg7AJwLdgw4E9CUBNqt55Z1U+mebTMaaACcDM7i
>> gKFdWU1zP/GDI5QhFNOqjB0=
>> =zH5z
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEjWc6+BKgC+eQ3ooRAh4UAJ9AZpl7z9xVtJdAX+v+bQ1v3T2ZdwCeIMhj
LQk5Cq1HEvNRI5rSUSYiOG4=
=HsAJ
-----END PGP SIGNATURE-----

More information about the WiFiDog mailing list