[Openswan Users] Connection against a Lucent FW success!!!! but may be there's still room for improvement

Rolando Zappacosta zappacor at yahoo.com.ar
Tue Apr 7 02:11:16 EDT 2009


> >   I could finally manage to get OSW to work against a
> Lucen VPN Gateway even through NAT. So, in case someone else
> needs such connection, compile below code and then run this:
> >   modprobe ip_queue
> >   UDP501encap &
> >   iptables -A OUTPUT -d <GW IP addrr> -j QUEUE
> >   iptables -A INPUT -s <GW IP addrr> -j QUEUE
> > before launching OSW as usual.
> 
> Is that IP the local IP or the remote IP?
The remote one, we encapsulate on Tx to the far end and we decapsulate on Rx from the far end.

> > is there a way to add this short&simple piece of
> code into OSW? I heard other commercial products do this
> same thing (changing the UDP to other than 501 though, but
> this could be done user-configurable).
> 
> Can you provide a README for this explaining the problem
> and the solution?
> Then I'll add it to the contrib/ directory.
It'll take me some time. It's been a long time in fact since I came to this house-made solution and could e-mail you just now.  :-(

> Is this a portforward from 501 to 500? If so, why does it
> need to go through userland?
No. Lucent's way to work around NATing is to change this:
   | IP | whatever L4 proto | Payload |
   where IP has the (IP source; IP dest) within it
into this:
   | IP | UDP:XXX | IP | whatever L4 proto | Payload |
   where IP have the same (IP source; IP dest) within them and XXX is the configurable UDP port (default=501)

In a nutshell, they "tunnelize" all the traffic to/from the client and the gateway into a IP/UDP:XXX header

May be there are better ways to do it but using iptables QUEUE is the one we used to encapsulate/decapsulate. I thougth about adding it to OSW code as well as some code to make it manipulate iptables QUEUE stuff but got lost on it. :-(


      


More information about the Users mailing list