[isf-wifidog] Huge problems with Cisco VPN (IPsec)
Max Horváth
max.horvath at maxspot.de
Mer 14 Juin 06:50:31 EDT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well, as far as I read the protocols to enable are p47, p50 and p51 ...
Regarding the vpn connection the source port is port 500 ;) ...
Ken wrote:
> On 6/13/06, Philippe April <isf_lists at philippeapril.com> wrote:
>> You might be able to get some information about which entry is
>> blocking you in iptables by running it in verbose mode and see which
>> entry gets hit (reset the counter before, forgot which command does
>> that).
>>
>> Something like : iptables -v -x -t filter -L
>> (and do the same for nat table maybe).
>>
>> Unfortunately, I don't have access to a Cisco VPN service, so I can't
>> test...
>
> I have been following this thread half-heartedly, so I don't know if
> has been mentioned yet. But some the of the show stoppers usually for
> natting ipsec are:
>
> IP Protocol ESP has to be passed
>
> ISAKMP traffic destined for port 500 generally has to have a source
> port of 500 as well. So if the source port is not 500 on the nat
> router then this may break it as well.
>
> -Ken
>
>
>>
>> On 13-Jun-06, at 3:58 PM, Max Horváth wrote:
>>
>> > -----BEGIN PGP SIGNED MESSAGE-----
>> > Hash: SHA1
>> >
>> > Right now it is not an issue of OpenWrt - it works without the
>> > WiFiDog gateway ... So it defently is an issue of the gateway and
>> > MUST be fixed in the gateway's source code :( ...
>> >
>> > Ian White wrote:
>> >
>> >> Judging by the lack of -t , its in the filter list. I guess it
>> >> would depend if post validation only etc, or do you add another
>> >> chain between forwarding rule and WiFiDog_WIFI2Internet to group
>> >> ports that you want to only for vpn.
>> >>
>> >> vpn does appear to be any issue on openwrt, so I guess its get vpn
>> >> working first then add wifidog
>> >>
>> >>
>> >>
>> >> ----- Original Message ----- From: "Max Horváth"
>> >> <max.horvath at maxspot.de>
>> >> To: "WiFiDog Captive Portal" <wifidog at listes.ilesansfil.org>
>> >> Sent: Tuesday, June 13, 2006 5:29 PM
>> >> Subject: Re: [isf-wifidog] Huge problems with Cisco VPN (IPsec)
>> >>
>> >>
>> >> -----BEGIN PGP SIGNED MESSAGE-----
>> >> Hash: SHA1
>> >>
>> >> Anyone?
>> >>
>> >> At which chain should I be adding the command
>> >>
>> >> iptables -A FORWARD -o $WAN -p udp -m udp --dport 500 -j ACCEPT
>> >>
>> >> ?
>> >>
>> >> Please help! :(
>> >>
>> >> Max Horváth wrote:
>> >>
>> >>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>> Hash: SHA1
>> >>>
>> >>> So I've been using tcpdump to check what happends:
>> >>>
>> >>> IP (tos 0x0, ttl 64, id 33541, offset 0, flags [none], length:
>> >>> 892) 10.22.11.176.500 > vpn.***.500: isakmp 1.0 msgid : phase 1
>> >>> I agg: [|sa] (len mismatch: isakmp 848/ip 864)
>> >>>
>> >>> Anybody has an idea how to solve the len mismatch problem?
>> >>>
>> >>> Cheers, Max!
>> >>>
>> >>> Max Horváth wrote:
>> >>>
>> >>>> -----BEGIN PGP SIGNED MESSAGE-----
>> >>>> Hash: SHA1
>> >>>>
>> >>>> Well,
>> >>>>
>> >>>> that's the funny part:
>> >>>>
>> >>>> to make it short - it works if you shut down the gateway.
>> >>>>
>> >>>> BUT!
>> >>>>
>> >>>> The internet connection as is only works if(!!!) the two lines
>> >>>> in / etc/init.d/S45firewall
>> >>>>
>> >>>> iptables -A FORWARD -i br0 -o br0 -j ACCEPT
>> >>>> iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT
>> >>>>
>> >>>> get uncommented again. (They must be commented to ensure no
>> >>>> port being open before a client's authorization).
>> >>>>
>> >>>> So it works.
>> >>>>
>> >>>> If I start the wifidog gateway again (with those lines still
>> >>>> uncommented) connecting with the Cisco VPN client doesn't work :
>> >>>> ( ...
>> >>>>
>> >>>> So I guess we have to add iptables commands to the gateway to
>> >>>> make the VPN pass through work ...
>> >>>>
>> >>>> Cheers, Max
>> >>>>
>> >>>> Benoit Gregoire wrote:
>> >>>>
>> >>>>> On Sunday 11 June 2006 18:07, Max Horváth wrote:
>> >>>>>> Well, in DD-WRT IPsec pass through works by loading the
>> modules
>> >>>>>> ip_conntrac_proto_gre and ip_nat_proto_gre ... I loaded
>> >>>>>> them ... and
>> >>>>>> I also added the iptables commands to the normal forward and
>> >>>>>> input
>> >>>>>> rule - but it dosn't work - I guess it must be done directly
>> >>>>>> in the
>> >>>>>> wifidog gateway ...
>> >>>>>
>> >>>>> Did it work with wifidog shutdown?
>> >>>>>
>> >>>>
>> >>>> -----BEGIN PGP SIGNATURE-----
>> >>>> Version: GnuPG v1.4.1 (Darwin)
>> >>>>
>> >>>> iD8DBQFEjeV0+BKgC+eQ3ooRAkhYAJ92E90gblZhsGYPJrrlakiw8PmixQCcDH0Z
>> >>>> 2sj/PNIzQ2BusOZijs3hBjk=
>> >>>> =jPAk
>> >>>> -----END PGP SIGNATURE-----
>> >>>> _______________________________________________
>> >>>> WiFiDog mailing list
>> >>>> WiFiDog at listes.ilesansfil.org
>> >>>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >>>>
>> >>>
>> >>> -----BEGIN PGP SIGNATURE-----
>> >>> Version: GnuPG v1.4.1 (Darwin)
>> >>>
>> >>> iD8DBQFEjqir+BKgC+eQ3ooRAmSNAJ0cWfq+fxP2viNYf9XDxN9zvVBIIgCfa9Rv
>> >>> 9Vxsl6TyLLL5ZD7/hXpehUQ=
>> >>> =Sr43
>> >>> -----END PGP SIGNATURE-----
>> >>> _______________________________________________
>> >>> WiFiDog mailing list
>> >>> WiFiDog at listes.ilesansfil.org
>> >>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >>>
>> >>
>> >> -----BEGIN PGP SIGNATURE-----
>> >> Version: GnuPG v1.4.1 (Darwin)
>> >>
>> >> iD8DBQFEjuf7+BKgC+eQ3ooRAv7TAJ0a4nv0exu444VOYc2+soJ9GmZcPgCggRXu
>> >> B94MbCxPVLKSW1pr0D7q9es=
>> >> =wd+l
>> >> -----END PGP SIGNATURE-----
>> >> _______________________________________________
>> >> WiFiDog mailing list
>> >> WiFiDog at listes.ilesansfil.org
>> >> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> WiFiDog mailing list
>> >> WiFiDog at listes.ilesansfil.org
>> >> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >>
>> >
>> > -----BEGIN PGP SIGNATURE-----
>> > Version: GnuPG v1.4.1 (Darwin)
>> >
>> > iD8DBQFEjxkC+BKgC+eQ3ooRAs/UAJ9qpslCpy7OAqQO8BL/1gIiZfdFBwCfcTSI
>> > lwpE13vey9q9xXP3aG29x40=
>> > =k+NW
>> > -----END PGP SIGNATURE-----
>> > _______________________________________________
>> > WiFiDog mailing list
>> > WiFiDog at listes.ilesansfil.org
>> > http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>> >
>>
>> _______________________________________________
>> WiFiDog mailing list
>> WiFiDog at listes.ilesansfil.org
>> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>>
>
>
> --
> Ken Caruso
> ken at ipl31.net
> _______________________________________________
> WiFiDog mailing list
> WiFiDog at listes.ilesansfil.org
> http://listes.ilesansfil.org/cgi-bin/mailman/listinfo/wifidog
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
iD8DBQFEj+n4+BKgC+eQ3ooRArMaAKCb93OjrRCYpkZ7VY9P/yhcslnScACglIAJ
RxaFV7fMLLm/Fj+J6svr8Kw=
=9L6K
-----END PGP SIGNATURE-----
More information about the WiFiDog
mailing list