Re: [suse-security] how to enable ipsec over firewall?
In case someone knows about the 8er 2.4 kernel-firewall2-config please answer as well we might be able to update this. Hääää????
Translated: In case you knew how to configure Suse 8, i'll get Suse 8 running on our firewall. ;)
Same way as ever. Do a minimal installation, shut down the services you dont need, install firewall and harden your system with security patches and scripts to attack it with security tools after all :O)
FW_DEV_IPSEC="ipsec0"
Okay, the silly thing is that I don't have such an device in /dev/etc. I should probably check my free s/wan configuration?
For sure. You have to configure freeswan using /etc/ipsec.conf (<=7.3) and to start and test it.
http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz I checked that and it does seem to be the same 2.1-er-version that comes with Suse 8.
Yep, my fault. Christoph Egger did some patches here on this list: http://lists.suse.com/archive/suse-security/2002-Feb/0035.html Yours Michael BTW: What about take over this working patches into firewall-scripts main branch - Marc ?
Hello Michael,
For sure. You have to configure freeswan using /etc/ipsec.conf (<=7.3) and to start and test it.
okay, i did now update free s/wan since suse has 1.95 and "opportunistic encoding" is enabled from 1.9.8 on only. I'll have that configured.
BTW: What about take over this working patches into firewall-scripts main branch - Marc
That would have been my next question - i guess it's a great feature that should be delivered with the next suse firewall. Thanks again Jochen
For sure. You have to configure freeswan using /etc/ipsec.conf (<=7.3) and to start and test it.
Just that the current snapshot of the documentation is outdated. I don't know if they refer to 2.0 or 1.x but in 1.98b there is definitely no ipsec verify command. To be honest, i don't even know what teh author means by " Ask your ISP to publish these records in your reverse map. ". And what is a left subnet? Looks af if i would do good by subscribing the Free/Swan mailing list, too.
Yep, my fault. Christoph Egger did some patches here on this list:
http://lists.suse.com/archive/suse-security/2002-Feb/0035.html
great, thanks. I altered the script to work with suse 8 (/etc/sysconfig...) and will post it to this mailing list and cc marc@suse.de as soon as i had my first vpn connection through the gateway. bye Jochen
Yep, my fault. Christoph Egger did some patches here on this list:
http://lists.suse.com/archive/suse-security/2002-Feb/0035.html
by the way: don't i need to redirect port 500 with fw_masq_nets to my vpn client? or is this already done in the script?
participants (2)
-
GentooRulez -
Jochen Staerk