[Openswan dev] Re: FreeS/WAN and BEFSX41-CA
Jon Earle
je_fsw at kronos.honk.org
Fri Apr 16 11:45:32 CEST 2004
Many thanks for your note, Jeannot. I will pore through it more this
weekend as I play a bit more with it.
On Thu, 15 Apr 2004, Jeannot_Langlois wrote:
>
> Unfortunately, I wasn't able to get our FreeSWAN 2.04 box (which runs
> Linux 2.4.24) to establish an IPSEC tunnel with the LINKSYS
> BEFSX41-FR(CA) router.
>
> [Take note of this exact model number; this is the *FRENCH CANADIAN*
> version I have been experimenting with, *NOT* the standard "American"
> version which has model number "BEFSX41"].
The model I have is the BEFSX41-CA (English Canadian version). I bought
the same one as my colleague in order to have something (locally) to
test and play with.
> - The BEFSX41-CA(FR) firewall/router currently uses the following
> firmware version: 1.44.3 - Dec 24 2002.
> - NO official firmware upgrade is available from the LinkSys website
> (http://www.linksys.com/download/) for the particular BEFSX41-CA(FR)
> product.
> - HOWEVER a firmware upgrade *IS* available (1.45.3 - September 26 2003)
> for the *AMERICAN* BEFSX41
Our routers have firmware v1.45.6, Oct 20 2003. The firmware is newer
than what's on the website.
I could not get a tunnel working through the thing (I eventually did, see
below) for most of my tests. Duplicate tunnels through my Linux routers
worked perfectly, so I knew the problem was with the Linksys.
Yesterday, we were banging away at it again, trying to use the DMZ
functions to expose the Win2k client. Even that wasn't working. So, we
started turning stuff off. When we turned off the Firewall (the SPI/DoS
firewall), it worked! We could make tunnels with/without the DMZ enabled.
Block WAN Requests is ENABLED, so at least the box isn't pingable (I ran
an nmap scan against it, and no TCP ports were exposed).
Now, I want to play a bit more to see if the router can itself make a
tunnel to a FreeS/WAN gateway, but haven't had the time to do that yet.
To sum up:
- Linksys BEFSX41-CA is pretty much in it's factory config.
- Client was using a static IP.
- ports 500/udp and 4500/udp are forwarded to the Win2k client making the
tunnel.
- IPSec Passthrough is ENABLED.
- Firewall is DISABLED (this was the key for *us*, on *this* router).
- Block WAN Requests is ENABLED (gives some security).
To try:
- Disabling forwarded ports 500/udp and 4500/udp. I didn't have them
expressly forwarded on my linux router, hence my suspicion that I might
not need them here.
- DHCP enabled client - my Linux router works fine with DHCP clients.
- Tunnel from Linksys to FreeS/WAN gateway.
Cheers!
Jon
--
Jon Earle
Software Developer / Network Manager
Specializing in Open Source Software Solutions
http://kronos.honk.org/~earlej/
More information about the Dev
mailing list