[Openswan Users] OpenS/WAN and Shorewall clarification
Peter McGill
petermcgill at goco.net
Mon Jun 4 09:02:53 EDT 2007
> -----Original Message-----
> Date: Fri, 1 Jun 2007 21:27:59 +0100 (BST)
> From: "Jim Blake" <jim at blakes.homeip.net>
> Subject: [Openswan Users] OpenS/WAN and Shorewall clarification
> To: users at openswan.org
>
> I have an OpenS/WAN server behind a NAT-ing (shorewall) firewall, with
> "nat_traversal=yes" in ipsec.conf. I am trying to set up an
> ipsec tunnel
> from a test OpenS/WAN server on the Internet, also with
> "nat_traversal=yes"
>
> Assuming the left and right descriptors in the ipsec.conf
> file are right,
> do I:
> 1) need to do anything other than open up the firewall so that port 50
> (IP), port 500 (UDP) and port 4500 (UDP) can go freely in
> both directions
> across the firewall, with the following in the "rules" file:
>
> # Lines added for IPsec
> ACCEPT loc net tcp 50
> ACCEPT net loc tcp 50
> ACCEPT loc net udp 500
> ACCEPT net loc udp 500
> ACCEPT loc net udp 4500
> ACCEPT net loc udp 4500
Not quite, it's not port 50 but protocol 50, like so.
ACCEPT loc net 50 (esp)
ACCEPT net loc 50 (esp)
ACCEPT loc net udp 500 (isakmp)
ACCEPT net loc udp 500 (isakmp)
ACCEPT loc net udp 4500 (nat-t)
ACCEPT net loc udp 4500 (nat-t)
Peter
More information about the Users
mailing list