[Openswan Users] Basic question: should I use Openswan?
Tuomo Soini
tis at foobar.fi
Tue Jan 17 02:08:05 CET 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Paul Wouters wrote:
>>I tried to allow all suggested services on the SERVER iptables - here are the
>>lines:
>>
>>-A INPUT -p udp -m udp --dport 500 -j RULE_5
>>-A OUTPUT -p udp --dport 500 --sport 500 -j ACCEPT
>>-A INPUT -p udp -m udp --sport 500 -j RULE_5
>>-A OUTPUT -p ESP -j ACCEPT
>>-A INPUT -p esp -j RULE_5
>>-A OUTPUT -p AH -j ACCEPT
>>-A INPUT -p ah -j RULE_5
>>-A INPUT -p udp -m udp --dport 4500 --sport 4500 -j RULE_5
>
>
> source port is not always 4500, due to NAT. You shouldn't use it in your rule.
> But your problem is still getting phase 2 up. so check the server logs.
And just for reference: ike sourceport is not always 500 when arriving
on port 500, also because of NAT.
- --
Tuomo Soini <tis at foobar.fi>
Linux and network services
+358 40 5240030
Foobar Oy <http://foobar.fi/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Foobar - http://enigmail.mozdev.org
iD8DBQFDzDVkTlrZKzwul1ERAijyAJ9Lat3yJbCZxWg/oeCqqRqUx7ZwQACfTZa2
t6YSdJClf/SXnoXdEAfbzJ0=
=OZ7X
-----END PGP SIGNATURE-----
More information about the Users
mailing list