[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement
Rolando Zappacosta
zappacor at yahoo.com.ar
Tue Apr 7 02:11:16 EDT 2009
> > I could finally manage to get OSW to work against a
> Lucen VPN Gateway even through NAT. So, in case someone else
> needs such connection, compile below code and then run this:
> > modprobe ip_queue
> > UDP501encap &
> > iptables -A OUTPUT -d <GW IP addrr> -j QUEUE
> > iptables -A INPUT -s <GW IP addrr> -j QUEUE
> > before launching OSW as usual.
>
> Is that IP the local IP or the remote IP?
The remote one, we encapsulate on Tx to the far end and we decapsulate on Rx from the far end.
> > is there a way to add this short&simple piece of
> code into OSW? I heard other commercial products do this
> same thing (changing the UDP to other than 501 though, but
> this could be done user-configurable).
>
> Can you provide a README for this explaining the problem
> and the solution?
> Then I'll add it to the contrib/ directory.
It'll take me some time. It's been a long time in fact since I came to this house-made solution and could e-mail you just now. :-(
> Is this a portforward from 501 to 500? If so, why does it
> need to go through userland?
No. Lucent's way to work around NATing is to change this:
| IP | whatever L4 proto | Payload |
where IP has the (IP source; IP dest) within it
into this:
| IP | UDP:XXX | IP | whatever L4 proto | Payload |
where IP have the same (IP source; IP dest) within them and XXX is the configurable UDP port (default=501)
In a nutshell, they "tunnelize" all the traffic to/from the client and the gateway into a IP/UDP:XXX header
May be there are better ways to do it but using iptables QUEUE is the one we used to encapsulate/decapsulate. I thougth about adding it to OSW code as well as some code to make it manipulate iptables QUEUE stuff but got lost on it. :-(
More information about the Users
mailing list