[Openswan Users] iptables checklist for ipsec newbies

John A. Sullivan III jsullivan at opensourcedevel.com
Wed Jan 11 08:08:39 CET 2006


On Wed, 2006-01-11 at 13:18 +0100, Andreas Lüdtke wrote:
> Hi,
> 
> since I'm still struggling with a vpn tunnel between Openswan 2.4.4 and a commercial vpn
> router, I kindly ask you to comment if my understanding of iptables is correct.
> 
> So far, I found the following:
> 
> - allow UDP port 500 for IKE negotiations
> 	iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
> 	iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
> 
> - allow UDP port 4500 if NAT-T is used/necessary
> 	iptables -I INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
> 	iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> 
> - allow protocol 50 for ESP encryption and/or authentication
> 	iptables -I INPUT  -p 50 -j ACCEPT
> 	iptables -I OUTPUT -p 50 -j ACCEPT
> 
> - switch of masquerading between the two subnets
> 	??? not sure what to do here ???
> 
> It would be great if someone could help me with the masquerading iptables commands
> (example constellation: subnet AAA 10.0.1.0/24, subnet BBB 10.0.2.0/24).
> 
<snip>
Those rules will allow the encrypted traffic to the gateway.  The next
three questions are:

1) What problems are you experiencing?
2) Why do you need to masquerade between the two subnets?
3) What rules do you have in place to allow the traffic on the FORWARD
chain once the packets are decrypted?

Hope this helps - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

If you would like to participate in the development of an open source
enterprise class network security management system, please visit
http://iscs.sourceforge.net



More information about the Users mailing list