Charles wrote >IIRC, you should be able to get through IKE with nothing more than UDP >masquerading enabled. You might need to open UDP port 500 to inbound >traffic (use EXTERN_UDP_PORTS in network.conf). You'll also need >protocol 50 opened once you get IKE working, which you can do with:
>EXTERN_PROTO0="50 0/0" I have this working on my home LAN. I have three machines (Windows 98SE, Windows NT 4.0 and Linux (RedHat 6.1)) on the LAN all using VPN simultaneously with the Cisco clients through a Dachstein Firewall. They connect to company gateways running Cicso concentrators. I had to load ip_masq_ipsec.o on the firewall and accept incoming UDP traffic to port 500. I just looked at my firewall logs, and the rule accepting the UDP traffic has had 4229 packets since Tuesday. I also have a rule accepting traffic on protocol 50. It has not had a packet. The data channel has had many megabyts of data, but I don't log it separately. Anyway, the Cisco client has an option to enable logging. I had to use it to run down one problem on the machine running Linux. I used cisco_cert_mgr to import the certificate. I tried to make a connection, and the attempt failed. The log showed that the certificate was tested as invalid. This surprised me, since it worked from the Windows machines. I had to go back to my downtown office, and re-export the certificate, makine sure that I exported the "full path" or some such words. That certificate works fine on the Linux machine. I don't know much about IKE, I guess that the Cisco Windows client that I use was configured to validate the certificate by looking up the certificate authority online, while the Linux client wanted all the information to be present locally. ------------------------------------------------------- This SF.NET email is sponsored by: Order your Holiday Geek Presents Now! Green Lasers, Hip Geek T-Shirts, Remote Control Tanks, Caffeinated Soap, MP3 Players, XBox Games, Flying Saucers, WebCams, Smart Putty. T H I N K G E E K . C O M http://www.thinkgeek.com/sf/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
