[Openswan Users] Blocking udp 1701 from outside on 2.6.26 (netkey)

Willie Gillespie wgillespie+openswan at es2eng.com
Mon Oct 11 19:02:38 EDT 2010

The way I've commonly done this is to allow traffic to udp/1701 if it is 
encapsulated in IPsec, but then block (either explicitly or by default 
depending on the rest of your firewall set up)

-A INPUT -m policy --dir in --pol ipsec -p udp --dport 1701 -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP

Gottfried Haider wrote:
> Hello all,
> I was wondering how one can go to prevent the xl2tpd from being
> accessible to the outside world while still retaining the
> l2tp-over-ipsec capability. My system is a virtualized server running
> a 2.6.26 kernel which I cannot modify, so changing the kernel to KLIPS
> is not an option..
> For the setup I largely followed
> http://riobard.com/blog/2010-04-30-l2tp-over-ipsec-ubuntu/. Over at
> Jacco de Leeuw's page [1] I read about the issue - unfortunately many
> of the pointers he gives of how to fix this ain't working anymore.
> What's the proper way to fix this nowadays? (I checked with nmap, port
> 1701 is indeed open|filtered.)
> regards,
> Gottfried
> [1] http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: 
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list