[isf-wifidog] Huge problems with Cisco VPN (IPsec)
Ken
ken at ipl31.net
Mar 13 Juin 16:33:08 EDT 2006
On 6/13/06, Philippe April <isf_lists at philippeapril.com> wrote:
> You might be able to get some information about which entry is
> blocking you in iptables by running it in verbose mode and see which
> entry gets hit (reset the counter before, forgot which command does
> that).
>
> Something like : iptables -v -x -t filter -L
> (and do the same for nat table maybe).
>
> Unfortunately, I don't have access to a Cisco VPN service, so I can't
> test...
I have been following this thread half-heartedly, so I don't know if
has been mentioned yet. But some the of the show stoppers usually for
natting ipsec are:
IP Protocol ESP has to be passed
ISAKMP traffic destined for port 500 generally has to have a source
port of 500 as well. So if the source port is not 500 on the nat
router then this may break it as well.
-Ken
>
> On 13-Jun-06, at 3:58 PM, Max Horváth wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Right now it is not an issue of OpenWrt - it works without the
> > WiFiDog gateway ... So it defently is an issue of the gateway and
> > MUST be fixed in the gateway's source code :( ...
> >
> > Ian White wrote:
> >
> >> Judging by the lack of -t , its in the filter list. I guess it
> >> would depend if post validation only etc, or do you add another
> >> chain between forwarding rule and WiFiDog_WIFI2Internet to group
> >> ports that you want to only for vpn.
> >>
> >> vpn does appear to be any issue on openwrt, so I guess its get vpn
> >> working first then add wifidog
> >>
> >>
> >>
> >> ----- Original Message ----- From: "Max Horváth"
> >> <max.horvath at maxspot.de>
> >> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> >> Sent: Tuesday, June 13, 2006 5:29 PM
> >> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
> >>
> >>
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> Anyone?
> >>
> >> At which chain should I be adding the command
> >>
> >> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
> >>
> >> ?
> >>
> >> Please help! :(
> >>
> >> Max Horváth wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> So I've been using tcpdump to check what happends:
> >>>
> >>> IP (tos 0x0, ttl 64, id 33541, offset 0, flags [none], length:
> >>> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1
> >>> I agg: [|sa] (len mismatch: isakmp 848/ip 864)
> >>>
> >>> Anybody has an idea how to solve the len mismatch problem?
> >>>
> >>> Cheers, Max!
> >>>
> >>> Max Horváth wrote:
> >>>
> >>>> -----BEGIN PGP SIGNED MESSAGE-----
> >>>> Hash: SHA1
> >>>>
> >>>> Well,
> >>>>
> >>>> that's the funny part:
> >>>>
> >>>> to make it short - it works if you shut down the gateway.
> >>>>
> >>>> BUT!
> >>>>
> >>>> The internet connection as is only works if(!!!) the two lines
> >>>> in / etc/init.d/S45firewall
> >>>>
> >>>> iptables -A FORWARD -i br0 -o br0 -j ACCEPT
> >>>> iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
> >>>>
> >>>> get uncommented again. (They must be commented to ensure no
> >>>> port being open before a client's authorization).
> >>>>
> >>>> So it works.
> >>>>
> >>>> If I start the wifidog gateway again (with those lines still
> >>>> uncommented) connecting with the Cisco VPN client doesn't work :
> >>>> ( ...
> >>>>
> >>>> So I guess we have to add iptables commands to the gateway to
> >>>> make the VPN pass through work ...
> >>>>
> >>>> Cheers, Max
> >>>>
> >>>> Benoit Gregoire wrote:
> >>>>
> >>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
> >>>>>> Well, in DD-WRT IPsec pass through works by loading the modules
> >>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded
> >>>>>> them ... and
> >>>>>> I also added the iptables commands to the normal forward and
> >>>>>> input
> >>>>>> rule - but it dosn't work - I guess it must be done directly
> >>>>>> in the
> >>>>>> wifidog gateway ...
> >>>>>
> >>>>> Did it work with wifidog shutdown?
> >>>>>
> >>>>
> >>>> -----BEGIN PGP SIGNATURE-----
> >>>> Version: GnuPG v1.4.1 (Darwin)
> >>>>
> >>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
> >>>> 2sj/PNIzQ2BusOZijs3hBjk=
> >>>> =jPAk
> >>>> -----END PGP SIGNATURE-----
> >>>> _______________________________________________
> >>>> WiFiDog mailing list
> >>>> WiFiDog at listes.ilesansfil.org
> >>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>>
> >>>
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.1 (Darwin)
> >>>
> >>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
> >>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
> >>> =Sr43
> >>> -----END PGP SIGNATURE-----
> >>> _______________________________________________
> >>> WiFiDog mailing list
> >>> WiFiDog at listes.ilesansfil.org
> >>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>>
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.1 (Darwin)
> >>
> >> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
> >> B94MbCxPVLKSW1pr0D7q9es=
> >> =wd+l
> >> -----END PGP SIGNATURE-----
> >> _______________________________________________
> >> WiFiDog mailing list
> >> WiFiDog at listes.ilesansfil.org
> >> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >>
> >>
> >> _______________________________________________
> >> WiFiDog mailing list
> >> WiFiDog at listes.ilesansfil.org
> >> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >>
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.1 (Darwin)
> >
> > iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
> > lwpE13vey9q9xXP3aG29x40=
> > =k+NW
> > -----END PGP SIGNATURE-----
> > _______________________________________________
> > WiFiDog mailing list
> > WiFiDog at listes.ilesansfil.org
> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
> >
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
--
Ken Caruso
ken at ipl31.net
More information about the WiFiDog
mailing list