[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Max Horváth max.horvath at maxspot.de
Mar 13 Juin 12:29:47 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone?

At which chain should I be adding the command

iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT

?

Please help! :(

Max Horváth wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> So I've been using tcpdump to check what happends:
>
> IP (tos 0x0, ttl  64, id 33541, offset 0, flags [none], length:  
> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1 I  
> agg: [|sa] (len mismatch: isakmp 848/ip 864)
>
> Anybody has an idea how to solve the len mismatch problem?
>
> Cheers, Max!
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Well,
>>
>> that's the funny part:
>>
>> to make it short - it works if you shut down the gateway.
>>
>> BUT!
>>
>> The internet connection as is only works if(!!!) the two lines in / 
>> etc/init.d/S45firewall
>>
>>    iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>>    iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>>
>> get uncommented again. (They must be commented to ensure no port  
>> being open before a client's authorization).
>>
>> So it works.
>>
>> If I start the wifidog gateway again (with those lines still  
>> uncommented) connecting with the Cisco VPN client doesn't work :( ...
>>
>> So I guess we have to add iptables commands to the gateway to make  
>> the VPN pass through work ...
>>
>> Cheers, Max
>>
>> Benoit Gregoire wrote:
>>
>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded them ...  
>>>> and
>>>> I also added the iptables commands to the normal forward and input
>>>> rule - but it dosn't work - I guess it must be done directly in the
>>>> wifidog gateway ...
>>>
>>> Did it work with wifidog shutdown?
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>> 2sj/PNIzQ2BusOZijs3hBjk=
>> =jPAk
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
> 9Vxsl6TyLLL5ZD7/hXpehUQ=
> =Sr43
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
B94MbCxPVLKSW1pr0D7q9es=
=wd+l
-----END PGP SIGNATURE-----


More information about the WiFiDog mailing list