[isf-wifidog] Huge problems with Cisco VPN (IPsec)
Max Horváth
max.horvath at maxspot.de
Mar 13 Juin 15:58:57 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Right now it is not an issue of OpenWrt - it works without the
WiFiDog gateway ... So it defently is an issue of the gateway and
MUST be fixed in the gateway's source code :( ...
Ian White wrote:
> Judging by the lack of -t , its in the filter list. I guess it
> would depend if post validation only etc, or do you add another
> chain between forwarding rule and WiFiDog_WIFI2Internet to group
> ports that you want to only for vpn.
>
> vpn does appear to be any issue on openwrt, so I guess its get vpn
> working first then add wifidog
>
>
>
> ----- Original Message ----- From: "Max Horváth"
> <max.horvath at maxspot.de>
> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> Sent: Tuesday, June 13, 2006 5:29 PM
> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anyone?
>
> At which chain should I be adding the command
>
> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
>
> ?
>
> Please help! :(
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> So I've been using tcpdump to check what happends:
>>
>> IP (tos 0x0, ttl 64, id 33541, offset 0, flags [none], length:
>> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1 I
>> agg: [|sa] (len mismatch: isakmp 848/ip 864)
>>
>> Anybody has an idea how to solve the len mismatch problem?
>>
>> Cheers, Max!
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Well,
>>>
>>> that's the funny part:
>>>
>>> to make it short - it works if you shut down the gateway.
>>>
>>> BUT!
>>>
>>> The internet connection as is only works if(!!!) the two lines
>>> in / etc/init.d/S45firewall
>>>
>>> iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>>> iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>>>
>>> get uncommented again. (They must be commented to ensure no port
>>> being open before a client's authorization).
>>>
>>> So it works.
>>>
>>> If I start the wifidog gateway again (with those lines still
>>> uncommented) connecting with the Cisco VPN client doesn't work :
>>> ( ...
>>>
>>> So I guess we have to add iptables commands to the gateway to
>>> make the VPN pass through work ...
>>>
>>> Cheers, Max
>>>
>>> Benoit Gregoire wrote:
>>>
>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded
>>>>> them ... and
>>>>> I also added the iptables commands to the normal forward and input
>>>>> rule - but it dosn't work - I guess it must be done directly in
>>>>> the
>>>>> wifidog gateway ...
>>>>
>>>> Did it work with wifidog shutdown?
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>>> 2sj/PNIzQ2BusOZijs3hBjk=
>>> =jPAk
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
>> =Sr43
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
> B94MbCxPVLKSW1pr0D7q9es=
> =wd+l
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
lwpE13vey9q9xXP3aG29x40=
=k+NW
-----END PGP SIGNATURE-----
More information about the WiFiDog
mailing list