[Openswan Users] iptables checklist for ipsec newbies
Andreas Lüdtke
andi.luedtke at gmx.de
Wed Jan 11 13:18:59 CET 2006
Hi,
since I'm still struggling with a vpn tunnel between Openswan 2.4.4 and a commercial vpn
router, I kindly ask you to comment if my understanding of iptables is correct.
So far, I found the following:
- allow UDP port 500 for IKE negotiations
iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
- allow UDP port 4500 if NAT-T is used/necessary
iptables -I INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
- allow protocol 50 for ESP encryption and/or authentication
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT
- switch of masquerading between the two subnets
??? not sure what to do here ???
It would be great if someone could help me with the masquerading iptables commands
(example constellation: subnet AAA 10.0.1.0/24, subnet BBB 10.0.2.0/24).
Thanks
Andreas
More information about the Users
mailing list