[isf-wifidog] Huge problems with Cisco VPN (IPsec)

Max Horváth max.horvath at maxspot.de
Mer 14 Juin 06:48:54 EDT 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As soon as IPSec is working it won't be a problem to add the correct  
rules for PPTP ...

Ian White wrote:

> I guess you also need to cover the other vpn apps. The counters  
> might be an issue too if you get the rules round the wrong way, and  
> the link might get timed out, or not respond to the ping call.
>
> ----- Original Message ----- From: "Max Horváth"  
> <max.horvath at maxspot.de>
> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
> Sent: Tuesday, June 13, 2006 8:58 PM
> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Right now it is not an issue of OpenWrt - it works without the
> WiFiDog gateway ... So it defently is an issue of the gateway and
> MUST be fixed in the gateway's source code :( ...
>
> Ian White wrote:
>
>> Judging by the lack of -t , its in the filter list. I guess it   
>> would depend if post validation only etc, or do you add another   
>> chain between forwarding rule and WiFiDog_WIFI2Internet to group   
>> ports that you want to only for vpn.
>>
>> vpn does appear to be any issue on openwrt, so I guess its get vpn  
>> working first then add wifidog
>>
>>
>>
>> ----- Original Message ----- From: "Max Horváth"   
>> <max.horvath at maxspot.de>
>> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
>> Sent: Tuesday, June 13, 2006 5:29 PM
>> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Anyone?
>>
>> At which chain should I be adding the command
>>
>> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
>>
>> ?
>>
>> Please help! :(
>>
>> Max Horváth wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> So I've been using tcpdump to check what happends:
>>>
>>> IP (tos 0x0, ttl  64, id 33541, offset 0, flags [none], length:    
>>> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1  
>>> I   agg: [|sa] (len mismatch: isakmp 848/ip 864)
>>>
>>> Anybody has an idea how to solve the len mismatch problem?
>>>
>>> Cheers, Max!
>>>
>>> Max Horváth wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Well,
>>>>
>>>> that's the funny part:
>>>>
>>>> to make it short - it works if you shut down the gateway.
>>>>
>>>> BUT!
>>>>
>>>> The internet connection as is only works if(!!!) the two lines   
>>>> in / etc/init.d/S45firewall
>>>>
>>>>    iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>>>>    iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>>>>
>>>> get uncommented again. (They must be commented to ensure no  
>>>> port   being open before a client's authorization).
>>>>
>>>> So it works.
>>>>
>>>> If I start the wifidog gateway again (with those lines still  
>>>> uncommented) connecting with the Cisco VPN client doesn't work :  
>>>> ( ...
>>>>
>>>> So I guess we have to add iptables commands to the gateway to   
>>>> make  the VPN pass through work ...
>>>>
>>>> Cheers, Max
>>>>
>>>> Benoit Gregoire wrote:
>>>>
>>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>>>>>> Well, in DD-WRT IPsec pass through works by loading the modules
>>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded   
>>>>>> them ...  and
>>>>>> I also added the iptables commands to the normal forward and  
>>>>>> input
>>>>>> rule - but it dosn't work - I guess it must be done directly  
>>>>>> in  the
>>>>>> wifidog gateway ...
>>>>>
>>>>> Did it work with wifidog shutdown?
>>>>>
>>>>
>>>> -----BEGIN PGP SIGNATURE-----
>>>> Version: GnuPG v1.4.1 (Darwin)
>>>>
>>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>>>> 2sj/PNIzQ2BusOZijs3hBjk=
>>>> =jPAk
>>>> -----END PGP SIGNATURE-----
>>>> _______________________________________________
>>>> WiFiDog mailing list
>>>> WiFiDog at listes.ilesansfil.org
>>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>>
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.1 (Darwin)
>>>
>>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
>>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
>>> =Sr43
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> WiFiDog mailing list
>>> WiFiDog at listes.ilesansfil.org
>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.1 (Darwin)
>>
>> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
>> B94MbCxPVLKSW1pr0D7q9es=
>> =wd+l
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>>
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (Darwin)
>
> iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
> lwpE13vey9q9xXP3aG29x40=
> =k+NW
> -----END PGP SIGNATURE-----
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
>
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFEj+mX+BKgC+eQ3ooRAlk2AJ9y4+RkQzMMdevUIp9mWmwA9ArK1wCeJl85
8AcGHZs6qXG6PBwwNmL5sMI=
=dI67
-----END PGP SIGNATURE-----

More information about the WiFiDog mailing list