[ale] IPSec VPN?

Wandered Inn esoteric at denali.atlnet.com
Tue May 29 21:10:50 EDT 2001


"Robert L. Harris" wrote:
> 
> I remember see'ing the mods.  I'll need to recompile my kernel.  Can
> you send me your scripts?

Here're the chains that are pertinent to ipsec as well as the insmod
line:

/sbin/modprobe ip_masq_ipsec

# I had to duplicate these lines for each possible vpn server ip.

VPN_SVR=IP_ADDR_OF_VPN_SRV

$IPCHAINS -A forward -j MASQ   -p udp -s 172.16.10.201/32 500 \
    -d $VPN_SVR/32 500 -i ppp0
$IPCHAINS -A output  -j ACCEPT -p udp -s $IPADDR/24 500 \
    -d $VPN_SVR/32 500 -i ppp0
$IPCHAINS -A input   -j ACCEPT -p udp -s $VPN_SVR/32 500 \
    -d $IPADDR/24 500  -i ppp0
$IPCHAINS -A forward -j MASQ   -p 50  -s 172.16.10.201/32  \
    -d $VPN_SVR/32      -i ppp0
$IPCHAINS -A output  -j ACCEPT -p 50  -s $IPADDR/24 \
    -d $VPN_SVR/32      -i ppp0
$IPCHAINS -A input   -j ACCEPT -p 50  -s $VPN_SVR/32     \
    -d $IPADDR/24  -i ppp0

> 
> Robert
> 
> Thus spake Wandered Inn (esoteric at denali.atlnet.com):
> 
> > "Joseph A. Knapka" wrote:
> >
> > > I'm not sure if this is actually going to work, but I can't see why
> > > it won't. Of course, you can't masquerade IPsec packets, because the
> > > firewall doesn't know how to compute the checksums appropriately,
> > > since they're encrypted with a key the masq firewall doesn't know (I
> > > think), but forwarding packets without masqerading them should not
> > > cause any trouble. I'll let you know how it goes.
> >
> > Actually, there are modules to permit you to deal with ipsec.  I
> > currently have two different vpn solutions for work, one is pptp, the
> > other ipsec.  Both are connecting to corporate networks through my
> > masq/nat firewall setup.  Both work fine.
> >
> > If you read the firewall, ipsec and vpn howtos, you can set this up.
> > I'd be glad to share my ipchains that do the ipsec and or pptp stuff
> > with anyone that is interested.  You'll need the mods too though.
> >
> > >
> > > -- Joe
> > >
> > >
> > > -- Joseph A. Knapka
> > > "If I ever get reincarnated... let me make certain I don't come back
> > >  as a paperclip." -- protagonist, H Murakami's "Hard-boiled Wonderland"
> > > // Linux MM Documentation in progress:
> > > // http://home.earthlink.net/~jknapka/linux-mm/vmoutline.html
> > > * Evolution is an "unproven theory" in the same sense that gravity is. *
> > > --
> > > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> >
> > --
> > Until later: Geoffrey         esoteric at denali.atlnet.com
> >
> > "Great spirits have always found violent opposition from mediocre minds.
> > The
> > latter cannot understand it when a man does not thoughtlessly submit to
> > hereditary prejudices but honestly and courageously uses his
> > intelligence."
> > - Albert Einstein
> 
> :wq!
> ---------------------------------------------------------------------------
> Robert L. Harris                |  Micros~1 :
> Senior System Engineer          |    For when quality, reliability
>   at RnD Consulting             |      and security just aren't
>                                 \_       that important!
> DISCLAIMER:
>       These are MY OPINIONS ALONE.  I speak for no-one else.
> FYI:
>  perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

--
Until later: Geoffrey		esoteric at denali.atlnet.com

"Great spirits have always found violent opposition from mediocre minds.
The
latter cannot understand it when a man does not thoughtlessly submit to
hereditary prejudices but honestly and courageously uses his
intelligence."
- Albert Einstein
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list