[Shorewall-users] How could I open Port 1701 for VPN l2tp/ipsec

[tony . blue . mailinglist]

Hello Mailinglist,

please excuse my bad english - but I am not a native speaker.

My Network looks like this:

Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X)

No I try to connect my iphone (from mobile Internet G3) over VPN 
(l2tp/ipsec) with the firewall.

But I can´t open the necessary Port 1701.

/var/log/syslog
...
Dec 30 00:24:29 router kernel: [226128.293757] 
Shorewall:INPUT:REJECT:IN=ppp0 OUT= 
MAC=45:00:00:88:ae:d0:00:00:2d:11:bd:e5:50:bb:60:4f:54:39:1b:64:0a:98 
SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 
ID=44752 PROTO=UDP SPT=62933 DPT=1701 LEN=75
Dec 30 00:24:30 router kernel: [226129.093450] 
Shorewall:INPUT:REJECT:IN=ppp0 OUT= 
MAC=45:00:00:88:92:d2:00:00:2d:11:d9:e3:50:bb:60:4f:54:39:1b:64:0a:98 
SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45 
ID=37586 PROTO=UDP SPT=62933 DPT=1701 LEN=75
...

How could I opten Port 1701 for VPN l2tp/ipsec?


Thank you!

Like the description in http://www.shorewall.net/IPSEC-2.6.html I tried 
to configure:

/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
vmn ipv4 <--- subnet for virtual machines
dmz ipv4
ovpn ipv4 <--- subnet for open-vpn (but iPhone don´t run with open-vpn)
wlan ipv4
vpn1 ipv4 <--- old VPN over pptp - but unsure -> in future should be 
l2tp/ipsec
vpn2 ipsec <--- new entry
l2tp ipv4 <--- new entry
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces
net ppp0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
dmz eth2 detect tcpflags,detectnets,nosmurfs
ovpn tun0 detect tcpflags,detectnets,nosmurfs
wlan eth3 detect tcpflags,dhcp,detectnets,nosmurfs
vpn1 ppp1 detect tcpflags,detectnets,nosmurfs
vmn eth4 detect tcpflags,detectnets,nosmurfs
l2tp ppp2 -

/etc/shorewall/policy
...
# Policies für l2tp
#
l2tp net ACCEPT info
l2tp loc ACCEPT info
l2tp vmn ACCEPT info
l2tp wlan ACCEPT info
l2tp dmz REJECT info
l2tp $FW REJECT info
l2tp all REJECT info
loc l2tp ACCEPT info

/etc/shorewall/rules
...
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW
#REJECT $FW net udp - 1701
# l2tp over the IPsec VPN
ACCEPT vpn2 $FW udp 1701
# webserver that can only be accessed internally
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW
ACCEPT net l2tp udp 1701
ACCEPT l2tp net udp 1701
ACCEPT l2tp $FW udp 1701
ACCEPT $FW l2tp udp 1701
ACCEPT net vpn2 udp 1701
ACCEPT vpn2 net udp 1701
ACCEPT vpn2 $FW udp 1701
ACCEPT $FW vpn2 udp 1701


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122912
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users