Cisco and Freeswan (outgoing requests to ports > 1024)
axl_mac at libero.it
Sat Jun 4 13:14:04 CEST 2005
we have built a IPsec connection with PSK between a Cisco PIX525 and Freeswan.
All things went OK till we discovered Linuxbox has difficulties to initiate communication towards
devices on the other side.
We built 2 tunnels between a LAN a 2 servers
192.168.41.0/24 <-->public IP<-------Internet cloud------->public IP<--> 10.146.10.82/32
192.168.41.0/24 <-->public IP<-------Internet cloud------->public IP<--> 10.146.12.67/32
The strange behaviour is that pinging from one of 10.146.xxx PCs gets the tunnel up but when the
first server try to contact another server put in the LAN the tunnel doesn't go up.
Somebody told me SQLnet port (1521) is higher then standard 1024 for outgoing communications and
Linux box considers it like not a tentive to communicate to the other part (it seems very strange to
Other people told me I must investigate about timeouts (Freeswan can not set it greater than 480
minutesand and if it finds a different value on the other side there could be problems)
I've been working with another guy who manages the Linux box so I've not available the configuration.
are pfs and diffie-helmann group parameters independent?
I know the default in Freeswan is PFS yes and D-H group = 2 (1024 bits) but which is the different
between declaring pfs=yes and not declaring in ipsec.conf
Thanks for your attention,
More information about the Users