[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Philippe April isf_lists at philippeapril.com
Mar 13 Juin 16:11:25 EDT 2006


You might be able to get some information about which entry is  
blocking you in iptables by running it in verbose mode and see which  
entry gets hit (reset the counter before, forgot which command does  
that).

Something like : iptables -v -x -t filter -L
(and do the same for nat table maybe).

Unfortunately, I don't have access to a Cisco VPN service, so I can't  
test...

On 13-Jun-06, at 3:58 PM, Max Horváth wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Right now it is not an issue of OpenWrt - it works without the  
> WiFiDog gateway ... So it defently is an issue of the gateway and  
> MUST be fixed in the gateway's source code :( ...
>
> Ian White wrote:
>
>> Judging by the lack of -t , its in the filter list. I guess it  
>> would depend if post validation only etc, or do you add another  
>> chain between forwarding rule and WiFiDog_WIFI2Internet to group  
>> ports that you want to only for vpn.
>>
>> vpn does appear to be any issue on openwrt, so I guess its get vpn  
>> working first then add wifidog
>>
>>
>>
>> ----- Original Message ----- From: "Max Horváth"  
>> <max.horvath at maxspot.de>
>> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
>> Sent: Tuesday, June 13, 2006 5:29 PM
>> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Anyone?
>>
>> At which chain should I be adding the command
>>
>> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
>>
>> ?
>>
>> Please help! :(
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> So I've been using tcpdump to check what happends:
>>>
>>> IP (tos 0x0, ttl  64, id 33541, offset 0, flags [none], length:   
>>> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1  
>>> I  agg: [|sa] (len mismatch: isakmp 848/ip 864)
>>>
>>> Anybody has an idea how to solve the len mismatch problem?
>>>
>>> Cheers, Max!
>>>
>>> Max Horváth wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Well,
>>>>
>>>> that's the funny part:
>>>>
>>>> to make it short - it works if you shut down the gateway.
>>>>
>>>> BUT!
>>>>
>>>> The internet connection as is only works if(!!!) the two lines  
>>>> in / etc/init.d/S45firewall
>>>>
>>>>    iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>>>>    iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>>>>
>>>> get uncommented again. (They must be commented to ensure no  
>>>> port  being open before a client's authorization).
>>>>
>>>> So it works.
>>>>
>>>> If I start the wifidog gateway again (with those lines still  
>>>> uncommented) connecting with the Cisco VPN client doesn't work : 
>>>> ( ...
>>>>
>>>> So I guess we have to add iptables commands to the gateway to  
>>>> make  the VPN pass through work ...
>>>>
>>>> Cheers, Max
>>>>
>>>> Benoit Gregoire wrote:
>>>>
>>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>>>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded  
>>>>>> them ...  and
>>>>>> I also added the iptables commands to the normal forward and  
>>>>>> input
>>>>>> rule - but it dosn't work - I guess it must be done directly  
>>>>>> in the
>>>>>> wifidog gateway ...
>>>>>
>>>>> Did it work with wifidog shutdown?
>>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.1 (Darwin)
>>>>
>>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>>>> 2sj/PNIzQ2BusOZijs3hBjk=
>>>> =jPAk
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
>>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
>>> =Sr43
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
>> B94MbCxPVLKSW1pr0D7q9es=
>> =wd+l
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
> lwpE13vey9q9xXP3aG29x40=
> =k+NW
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>



More information about the WiFiDog mailing list