/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi,
I am having trouble making an IPSEC based VPN connection. We are using
a secureid token in conjunction with Cisco 3000 VPN Client software on
Windows 2000. When connected directly to the Internet, everything is
working fine. I would like to be able to have this work thru our
firewall.
Our firewall is running Redhat 6.1 with a newly compiled 2.2.19 kernel
(kernel.org source) with the VPN patch and the ip_masq_ipsec module
installed. I have added the necessary ipchains rules to the firewall
script allowing udp 500 and protocol 50 thru the firewall. Masq works
for everything else but IPSEC.
When the Cisco client attempts a connection, things look ok until it
tries to authenticate using the secureid token. At this point the
connection fails. A TCPDUMP shows the initial connection on port 500,
and traffic on protocol 50 during the secureid authentication. It looks
like things are being masq-ed thru, but the connection fails.
What I'm wondering is if anyone has any experience with this, if anyone
know if it will work, or should I give up? In the VPN How-to, it
mentions that "IPsec traffic using transport-mode ESP also cannot be
reliably masqueraded". How do I know if this is the problem in my case?
Thanks for any help that you may provide.
Scott
[EMAIL PROTECTED]
Heres a copy of the tcpdump. eth0 is the outside card and eth1 is the
inside card
16:13:07.097394 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 311
16:13:07.097544 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 311
16:13:07.345998 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 260
16:13:07.346115 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 260
16:13:07.381564 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 52
16:13:07.381705 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 52
16:13:07.939040 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 308
16:13:07.939138 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 308
16:13:08.204764 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 76
16:13:08.204836 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 76
16:13:15.483564 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 84
16:13:15.483715 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 84
16:13:16.779519 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 236
16:13:16.779599 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 236
16:13:16.880466 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 76
16:13:16.880611 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 76
16:13:17.205745 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 180
16:13:17.205817 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 180
16:13:17.218896 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 52
16:13:17.219054 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 52
16:13:17.944470 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 284
16:13:17.944576 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 284
16:13:17.949219 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 276
16:13:17.949360 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 276
16:13:18.151611 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 188
16:13:18.151685 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 188
16:13:18.153466 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 68
16:13:18.153550 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 68
16:13:18.164622 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 52
16:13:18.164782 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 52
16:13:19.823443 eth1 < 192.168.1.7 > vpn.svr.ip.addr: ip-proto-50 108
16:13:19.823550 eth0 > fw.ext.ip.addr > vpn.svr.ip.addr: ip-proto-50 108
16:13:20.031787 eth0 < vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 164
(DF)
16:13:20.031901 eth1 > vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 164
(DF)
16:13:20.036250 eth1 < 192.168.1.7 > vpn.svr.ip.addr: ip-proto-50 92
16:13:20.036367 eth0 > fw.ext.ip.addr > vpn.svr.ip.addr: ip-proto-50 92
16:13:20.060435 eth0 < vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 1476
(DF)
16:13:20.060550 eth1 > vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 1476
(DF)
16:13:20.065154 eth1 < 192.168.1.7 > vpn.svr.ip.addr: ip-proto-50 1476
16:13:20.065293 eth0 > fw.ext.ip.addr > vpn.svr.ip.addr: ip-proto-50
1476
16:13:20.240727 eth0 < vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 508
(DF)
16:13:20.240795 eth1 > vpn.svr.ip.addr > 192.168.1.7: ip-proto-50 508
(DF)
16:13:20.306276 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 311
16:13:20.306414 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 311
16:13:20.519461 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 260
16:13:20.519532 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 260
16:13:20.554995 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 52
16:13:20.555131 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 52
16:13:20.949086 eth1 < 192.168.1.7.500 > vpn.svr.ip.addr.500: udp 308
16:13:20.949184 eth0 > fw.ext.ip.addr.500 > vpn.svr.ip.addr.500: udp 308
16:13:21.082056 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 76
16:13:21.082153 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 76
16:13:36.080851 eth0 < vpn.svr.ip.addr.500 > fw.ext.ip.addr.500: udp 76
16:13:36.080932 eth1 > vpn.svr.ip.addr.500 > 192.168.1.7.500: udp 76
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
