Re: [Masq] VPN/IPSEC

Wed, 23 May 2001 20:09:01 -0700 

/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting! 
/* ALSO: Don't quote this header. It makes you look lame :-) */


Scott Wayte wrote:

> Hi,
> 
> I am having trouble making an IPSEC based VPN connection.  We are using
> a secureid token in conjunction with Cisco 3000 VPN Client software on
> Windows 2000.  When connected directly to the Internet, everything is
> working fine.  I would like to be able to have this work thru our
> firewall.
> 
> Our firewall is running Redhat 6.1 with a newly compiled 2.2.19 kernel
> (kernel.org source) with the VPN patch and the ip_masq_ipsec module
> installed.  I have added the necessary ipchains rules to the firewall
> script allowing udp 500 and protocol 50 thru the firewall.  Masq works
> for everything else but IPSEC.
> 
> When the Cisco client attempts a connection, things look ok until it
> tries to authenticate using the secureid token.  At this point the
> connection fails.  A TCPDUMP shows the initial connection on port 500,
> and traffic on protocol 50 during the secureid authentication.  It looks
> like things are being masq-ed thru, but the connection fails.
> 
> What I'm wondering is if anyone has any experience with this, if anyone
> know if it will work, or should I give up?  In the VPN How-to, it
> mentions that "IPsec traffic using transport-mode ESP also cannot be
> reliably masqueraded".  How do I know if this is the problem in my case?

check your /var/log/messages file. if it contains denied packet logs
with a protocol of 51, then this is the problem you are having. protocol
51 is ah (authentication header) which is normally used by ipsec as well
as the esp protocol (50). you can live without it though but you'd have
to find out how to turn it off if you want to masquerade ipsec.

raf

_______________________________________________
Masq maillist  -  [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ -- 
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]

PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.

Reply via email to