[Openswan Users] iptables checklist for ipsec newbies

Tuomo Soini tis at foobar.fi
Wed Jan 11 17:15:25 CET 2006

Hash: SHA1

Andreas Lüdtke wrote:
> Hi,
> since I'm still struggling with a vpn tunnel between Openswan 2.4.4 and a commercial vpn
> router, I kindly ask you to comment if my understanding of iptables is correct.
> So far, I found the following:
> - allow UDP port 500 for IKE negotiations
> 	iptables -I INPUT  -p udp --sport 500 --dport 500 -j ACCEPT
> 	iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT

Remove --sport 500 for older ipsec nat-t draft users.

> - allow UDP port 4500 if NAT-T is used/necessary
> 	iptables -I INPUT  -p udp --sport 4500 --dport 4500 -j ACCEPT
> 	iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT

Remove --sport 4500 to make ipsec nat-t work nat-t is used because
sourceport is changed by nat router...

> - allow protocol 50 for ESP encryption and/or authentication
> 	iptables -I INPUT  -p 50 -j ACCEPT
> 	iptables -I OUTPUT -p 50 -j ACCEPT
> - switch of masquerading between the two subnets
> 	??? not sure what to do here ???

Make sure you don't masquerade if destination is

    iptables -t nat -I POSTROUTING --destination \! -j MASQ

> It would be great if someone could help me with the masquerading iptables commands
> (example constellation: subnet AAA, subnet BBB

If you have very new distribution you might have iptables and kernel
supporting -m policy --pol ipsec which makes it possible to allow
traffic only via ipsec and not to masquerade if traffic is ipsec etc...

- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org


More information about the Users mailing list