[Openswan Users] Iptables 2.4 Kernel

Tomasz Grzelak tgrzelak at wktpolska.com.pl
Wed Dec 29 09:20:56 CET 2004

Dnia wto 28. grudnia 2004 20:52, Stefan Leippert napisał:
> Hello all !
> I am testing the Redwall Firewall (Kernel 2.4) which has openswan
> installed.
> The connection works, I have an established ISAKMP and there are
> encapsulated packets with NAT-T. Ethereal says, that the packets are
> encapsulated in UDP.
> Problem:
> I can't reach any service on the gateway.
> I think I have to make some changes in my iptables script. Currently I have
> opened port 500 and 4500 on the gateway. The gateway has two NICs, eth0 to
> the LAN and eth1 to ADSL-Modem. After the ISAKMP-established there is
> another interface "ipsec0".
> I can't ping or reach any other service on the gateway or in the LAN. Do I
> need special rules for iptables and the interface "ipsec0" ?

I don't know too much about ipsec in kernel 2.4, 'cause I use native 2.6, but 
if you have an 'ipsec0' interface you should also set rules for that 
interface in the iptables script. You should let UDP[500, 4500], and also the 
ESP (50; cat /etc/protocols) protocol, for example:

(I assume UDP has been accepted)
iptables -A INPUT -i ipsec0 -p esp -j ACCEPT
iptables -A OUTPUT -o ipsec0 -p esp -j ACCEPT
(this above would be enough in the most simple case)

Maybe it will help you.


More information about the Users mailing list