[Openswan Users] iptables checklist for ipsec newbies
Tuomo Soini
tis at foobar.fi
Wed Jan 11 17:15:25 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andreas Lüdtke wrote:
> Hi,
>
> since I'm still struggling with a vpn tunnel between Openswan 2.4.4 and a commercial vpn
> router, I kindly ask you to comment if my understanding of iptables is correct.
>
> So far, I found the following:
>
> - allow UDP port 500 for IKE negotiations
> iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
Remove --sport 500 for older ipsec nat-t draft users.
> - allow UDP port 4500 if NAT-T is used/necessary
> iptables -I INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
Remove --sport 4500 to make ipsec nat-t work nat-t is used because
sourceport is changed by nat router...
> - allow protocol 50 for ESP encryption and/or authentication
> iptables -I INPUT -p 50 -j ACCEPT
> iptables -I OUTPUT -p 50 -j ACCEPT
>
> - switch of masquerading between the two subnets
> ??? not sure what to do here ???
Make sure you don't masquerade if destination is 10.0.0.0/8
iptables -t nat -I POSTROUTING --destination \! 10.0.0.0/8 -j MASQ
>
> It would be great if someone could help me with the masquerading iptables commands
> (example constellation: subnet AAA 10.0.1.0/24, subnet BBB 10.0.2.0/24).
If you have very new distribution you might have iptables and kernel
supporting -m policy --pol ipsec which makes it possible to allow
traffic only via ipsec and not to masquerade if traffic is ipsec etc...
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org
iD8DBQFDxSENTlrZKzwul1ERAgqzAJ9w4OgTB19noSO0v6oS/IOruBGnGwCcDzFr
DN5hGOIcR+LMCfX+gBfEIQg=
=zrpM
-----END PGP SIGNATURE-----
More information about the Users
mailing list