My two cents, that I believe I have read in LEAF or Charles docs is that as in my case I restricted the UDP 500 and Protocol to just the IPs of the other end of my VPN connection. Again attempting to limit the holes going through the FW.
At 09:04 AM 1/22/02 -0600, Charles Steinkuehler wrote: >Yes, there are settings in /etc/network.conf for what you need to do. > >To masquerade an IPSec connection through Dachstein (floppy): > >- Load the ip_masq_ipsec module (edit /etc/modules) > >- Open UDP port 500: > EXTERN_UDP_PORTS="0/0_500" > >- Open *Protocol* 50: > EXTERN_PROTO0="50 0/0" > >AFAIK, you only need to port-forward UDP port 500 to your internal system if >the remote end will be initiating the VPN link...if you initiate the VPN >link from your end, the masquerade rules will automatically know where to >send the packets. > >Charles Steinkuehler >http://lrp.steinkuehler.net >http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) > > >----- Original Message ----- >From: "Michael Leone" <[EMAIL PROTECTED]> >To: "LEAF-User" <[EMAIL PROTECTED]> >Sent: Monday, January 21, 2002 6:55 PM >Subject: [Leaf-user] Dachstein (floppy) passing IPSec ... > > >I'm using Dachstein (floppy). I'd like to use the Cisco Secure client, >on a Win98 station on my LAN, to connect to my Pix at work. I do NOT >want the Dachstein to be one end of the IPSec tunnel; only to pass the >IPSec traffic to my (NATed) workstation. (eventually, when I get the >3DES license for my Pix, I'll want the Dachstein to be an end-point. Not >yet, tho) >1. I'd need to load ip_masq_ipsec on Dachstein, yes? >2. I'd need to open port 50, and port-forward protocol 500? Are there >entries already in Dachstein (/etc/ipfilter.conf?) to do this already, >and just need to be uncommented? > > >_______________________________________________ >Leaf-user mailing list >[EMAIL PROTECTED] >https://lists.sourceforge.net/lists/listinfo/leaf-user _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
