[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Ian White ian.white at datamile-computers.com
Mar 13 Juin 16:13:34 EDT 2006 

I guess you also need to cover the other vpn apps. The counters might be an 
issue too if you get the rules round the wrong way, and the link might get 
timed out, or not respond to the ping call.

----- Original Message ----- 
From: "Max Horváth" <max.horvath at maxspot.de>
To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
Sent: Tuesday, June 13, 2006 8:58 PM
Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Right now it is not an issue of OpenWrt - it works without the
WiFiDog gateway ... So it defently is an issue of the gateway and
MUST be fixed in the gateway's source code :( ...

Ian White wrote:

> Judging by the lack of -t , its in the filter list. I guess it  would 
> depend if post validation only etc, or do you add another  chain between 
> forwarding rule and WiFiDog_WIFI2Internet to group  ports that you want to 
> only for vpn.
>
> vpn does appear to be any issue on openwrt, so I guess its get vpn 
> working first then add wifidog
>
>
>
> ----- Original Message ----- From: "Max Horváth"  <max.horvath at maxspot.de>
> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> Sent: Tuesday, June 13, 2006 5:29 PM
> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anyone?
>
> At which chain should I be adding the command
>
> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
>
> ?
>
> Please help! :(
>
> Max Horváth wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> So I've been using tcpdump to check what happends:
>>
>> IP (tos 0x0, ttl  64, id 33541, offset 0, flags [none], length:   892) 
>> 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1 I   agg: [|sa] 
>> (len mismatch: isakmp 848/ip 864)
>>
>> Anybody has an idea how to solve the len mismatch problem?
>>
>> Cheers, Max!
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> Well,
>>>
>>> that's the funny part:
>>>
>>> to make it short - it works if you shut down the gateway.
>>>
>>> BUT!
>>>
>>> The internet connection as is only works if(!!!) the two lines  in / 
>>> etc/init.d/S45firewall
>>>
>>>    iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>>>    iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>>>
>>> get uncommented again. (They must be commented to ensure no port   being 
>>> open before a client's authorization).
>>>
>>> So it works.
>>>
>>> If I start the wifidog gateway again (with those lines still 
>>> uncommented) connecting with the Cisco VPN client doesn't work : ( ...
>>>
>>> So I guess we have to add iptables commands to the gateway to  make  the 
>>> VPN pass through work ...
>>>
>>> Cheers, Max
>>>
>>> Benoit Gregoire wrote:
>>>
>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded  them ...  and
>>>>> I also added the iptables commands to the normal forward and input
>>>>> rule - but it dosn't work - I guess it must be done directly in  the
>>>>> wifidog gateway ...
>>>>
>>>> Did it work with wifidog shutdown?
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>>> 2sj/PNIzQ2BusOZijs3hBjk=
>>> =jPAk
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
>> =Sr43
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
> B94MbCxPVLKSW1pr0D7q9es=
> =wd+l
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
lwpE13vey9q9xXP3aG29x40=
=k+NW
-----END PGP SIGNATURE-----
_______________________________________________
WiFiDog mailing list
WiFiDog at listes.ilesansfil.org
http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog

More information about the WiFiDog mailing list