[Openswan Users] iptables checklist for ipsec newbies

Andreas Lüdtke andi.luedtke at gmx.de
Wed Jan 11 13:18:59 CET 2006


Hi,

since I'm still struggling with a vpn tunnel between Openswan 2.4.4 and a commercial vpn
router, I kindly ask you to comment if my understanding of iptables is correct.

So far, I found the following:

- allow UDP port 500 for IKE negotiations
	iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
	iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

- allow UDP port 4500 if NAT-T is used/necessary
	iptables -I INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
	iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT

- allow protocol 50 for ESP encryption and/or authentication
	iptables -I INPUT  -p 50 -j ACCEPT
	iptables -I OUTPUT -p 50 -j ACCEPT

- switch of masquerading between the two subnets
	??? not sure what to do here ???

It would be great if someone could help me with the masquerading iptables commands
(example constellation: subnet AAA 10.0.1.0/24, subnet BBB 10.0.2.0/24).

Thanks

	Andreas



More information about the Users mailing list