i have read lots of newsgroups and howto's and until now have not found a definitive answer to the question: how do i forward the necessary protocols (not the ports, for pptp or ipsec) to a masqueraded
Port 500 UDP, Protocol 50,51 for freeswan
vpn server, or is is possible at all using susefirewall2 and iptables? most people seem to agree that it is indeed possible using iptables without susefirewall2,
of course, its just a script and you could write your own !
but event then i have not found a working solution up to now. if anybody knows a patch for the susefirewall2 script or the necessary rules to put in the custom script which is called at the end of the config file, please help me out. anything that works is appreciated...
You sound a little desperate. Dont do ! edit /etc/rc.config.d/firewall2.rc.config snip --- FW_DEV_INT="eth0 ipsec0" FW_ROUTE="yes" FW_ALLOW_CLASS_ROUTING="yes" --- snap and to prevent masquerading snip ---- # 19.) # Say yes, if you use IPSEC # Defaults to "no" # FW_IPSEC="yes" # # 20.) # IPSEC device # FW_DEV_IPSEC="ipsec0" # 21.) # local/remote network # masquerading is disabled through the tunnel automatically, # if you enabled it above # FW_IPSEC_LOCALNET="192.168.x.x/24" FW_IPSEC_REMOTENET="192.168.x.x/24" ---- snap The resource 4 latest script version is: http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz Hope that helps Yours Michael
thanks for your help, but as far as i see these settings are for a vpn
endpoint *at* the firewall (firewall == vpn server, otherwise i wouldn't
have an ipsec0 interface (or am i missing something)). what i try to achieve
is forward the vpn to a masqueraded server (i.e. a server with a private ip
address). the variant vpn server == firewall would work, but sadly is not an
option for our configuration.
thanks anyway
alex
----- Original Message -----
From: "GentooRulez"
i have read lots of newsgroups and howto's and until now have not found a definitive answer to the question: how do i forward the necessary protocols (not the ports, for pptp or ipsec) to a masqueraded
Port 500 UDP, Protocol 50,51 for freeswan
vpn server, or is is possible at all using susefirewall2 and iptables? most people seem to agree that it is indeed possible using iptables without susefirewall2,
of course, its just a script and you could write your own !
but event then i have not found a working solution up to now. if anybody knows a patch for the susefirewall2 script or the necessary rules to put in the custom script which is called at the end of the config file, please help me out. anything that works is appreciated...
You sound a little desperate. Dont do !
edit /etc/rc.config.d/firewall2.rc.config
snip --- FW_DEV_INT="eth0 ipsec0" FW_ROUTE="yes" FW_ALLOW_CLASS_ROUTING="yes" --- snap
and to prevent masquerading
snip ---- # 19.) # Say yes, if you use IPSEC # Defaults to "no" # FW_IPSEC="yes" # # 20.) # IPSEC device # FW_DEV_IPSEC="ipsec0"
# 21.) # local/remote network # masquerading is disabled through the tunnel automatically, # if you enabled it above # FW_IPSEC_LOCALNET="192.168.x.x/24" FW_IPSEC_REMOTENET="192.168.x.x/24" ---- snap
The resource 4 latest script version is:
http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz
Hope that helps
Yours
Michael
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
At 15:48 10.09.2002 +0200, you wrote:
snip --- FW_DEV_INT="eth0 ipsec0"
shall i register the device ipsec0 in FW_DEV_EXT, too?
FW_ROUTE="yes" FW_ALLOW_CLASS_ROUTING="yes" --- snap
and to prevent masquerading
snip ---- # 19.) # Say yes, if you use IPSEC # Defaults to "no" # FW_IPSEC="yes" # # 20.) # IPSEC device # FW_DEV_IPSEC="ipsec0"
# 21.) # local/remote network # masquerading is disabled through the tunnel automatically, # if you enabled it above # FW_IPSEC_LOCALNET="192.168.x.x/24" FW_IPSEC_REMOTENET="192.168.x.x/24"
What remotenet i register here, when the remote-client is a roadwarrior without a private subnet and only a dialup-adapter with an official ip from the isp? i'm trying this too, straight now... ;) Michael
participants (3)
-
Alexander Gretha -
GentooRulez -
Michael Boettjer