[Openswan Users] It doesn't work

Peter McGill petermcgill at goco.net
Wed Nov 1 17:22:29 EST 2006

> Oh... PROTOCOL 50... Oups.
> Protocol 50 on ANY port, or just port 500 and 4500?

There are no ports on protocol 50, don't allow or deny any ports.
TCP and UDP have ports, no other IP protocol that I'm aware of uses ports.

>   Paul> The tunnel, which is established over IKE works, but I think
>   Paul> you do not allow the ESP packets through, so after a minute
>   Paul> of failing, the iwndows client hangs up.
> I see. I'll have a look at how to modify my firewall to allow that.

If your using iptables, the following rules should work for most openswan setups:
iptables -t mangle -A INPUT -i eth0 -p udp --dport isakmp -j MARK --set-mark 1 # isakmp = 500
iptables -t mangle -A INPUT -i eth0 -p udp --dport 4500 -j MARK --set-mark 1 # 4500 is used w/ nat-t
iptables -t mangle -A INPUT -i eth0 -p esp -j MARK --set-mark 1 # esp = 50
# most of us don't use ah, so you can probably leave the next line out, I've included it for completeness
iptables -t mangle -A INPUT -i eth0 -p ah -j MARK --set-mark 1 # ah = 51
iptables -A INPUT -m mark --mark 1 -j ACCEPT
iptables -A FORWARD -m mark --mark 1 -j ACCEPT
# if your not using this (iptables -A OUTPUT -j ACCEPT), then you'll also need the following.
iptables -A OUTPUT -o eth0 -p udp --sport isakmp -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 4500 -j ACCEPT
iptables -A OUTPUT -o eth0 -p esp -j ACCEPT
iptables -A OUTPUT -o eth0 -p ah -j ACCEPT # again you only need this if your using ah
And of course replace eth0 with your public interface if it's different, and change the mark (1) if your using 1 for something else
Other rules could still disrupt the traffic internal to your network or even between the tunnel endpoints, depending on ordering and 
so you should still read up on iptables and understand the flow and what's going on.

Peter McGill
Software Developer / Network Administrator
Gra Ham Energy Limited 

More information about the Users mailing list