Hello there, I've got a question, and I found no answer related to this topic - or maybe I'm simply too stupid and didn't get it .... Short story: Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint FW - Companies LAN Long story: Well, my employer has a Checkpoit FW running to protect the companies LAN. We all got so called tokens (looks like an calculator) and some software to be installed on our PCs. The software is called SecuRemote. At home I have a small LAN (one SuSE 8.1 acting as a gateway, 3 MS based clients). I installed the software, checked the Checkpoint website for information how to configure an iptables fw, and I think I did it: the neccessary ports are udp 50, udp 51, udp 500 & udp 2746. So I added the lines: FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" (In both cases 212.212.212.212 is just a place holder!!! ... not the real ip adress.) But it does not work ...... no VPN connection is established between my MS client and a system on the companies LAN. When I connect to the internet directly (eg. via an ISDN dial-up connection) it works fine. Well, one of my thoughts was to modify the MTU/MRU values - but setting them eg. to 1404 didn't solve it. Has anyone around there an idea? Can I use the SuSEfirewall2 for this? Thanks in advance!!!! c y Torsten
Hello Torsten, I understand what you want to do is IPSEC in some way: For IPSEC you need to open up (accept) in your FW-config: UDP port 500 (this is for IKE / ISAKMP) protocol 50 and 51 (that 's for ESP and AH ) NOT port 50 or 51 (!!!!) I don't know about UDP port 2746, this may be propietary config to authenticate against your commercial software package (server). BTW: I tried SuSEfw2 at 2 different installations to get it running with ipsec-tunnels - forget it ! I loaded Shorewall today and it runs well! Have a look at www.shorewall.net. Regards, Philipp Rusch "T. Ermlich" schrieb:
Hello there,
I've got a question, and I found no answer related to this topic - or maybe I'm simply too stupid and didn't get it ....
Short story: Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint FW - Companies LAN
Long story: Well, my employer has a Checkpoit FW running to protect the companies LAN. We all got so called tokens (looks like an calculator) and some software to be installed on our PCs. The software is called SecuRemote. At home I have a small LAN (one SuSE 8.1 acting as a gateway, 3 MS based clients). I installed the software, checked the Checkpoint website for information how to configure an iptables fw, and I think I did it: the neccessary ports are udp 50, udp 51, udp 500 & udp 2746. So I added the lines: FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" (In both cases 212.212.212.212 is just a place holder!!! ... not the real ip adress.)
But it does not work ...... no VPN connection is established between my MS client and a system on the companies LAN. When I connect to the internet directly (eg. via an ISDN dial-up connection) it works fine.
Well, one of my thoughts was to modify the MTU/MRU values - but setting them eg. to 1404 didn't solve it.
Has anyone around there an idea? Can I use the SuSEfirewall2 for this?
Thanks in advance!!!!
c y Torsten
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hello Torsten,
I understand what you want to do is IPSEC in some way: For IPSEC you need to open up (accept) in your FW-config:
UDP port 500 (this is for IKE / ISAKMP) protocol 50 and 51 (that 's for ESP and AH ) NOT port 50 or 51 (!!!!)
I don't know about UDP port 2746, this may be propietary config to authenticate against your commercial software package (server).
BTW: I tried SuSEfw2 at 2 different installations to get it running with ipsec-tunnels - forget it ! I loaded Shorewall today and it runs well!
Have a look at www.shorewall.net.
Regards, Philipp Rusch
"T. Ermlich" schrieb:
Hello there,
I've got a question, and I found no answer related to this topic - or maybe I'm simply too stupid and didn't get it ....
Short story: Home LAN - SuSEfirewall2 System (SuSE 8.1 via DSL) - internet - Checkpoint FW - Companies LAN
Long story: Well, my employer has a Checkpoit FW running to protect the companies LAN. We all got so called tokens (looks like an calculator) and some software to be installed on our PCs. The software is called SecuRemote. At home I have a small LAN (one SuSE 8.1 acting as a gateway, 3 MS based clients). I installed the software, checked the Checkpoint website for information how to configure an iptables fw, and I think I did it: the neccessary ports are udp 50, udp 51, udp 500 & udp 2746. So I added the lines: FW_FORWARD="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" FW_FORWARD_MASQ="212.212.212.212/32,192.168.10.100/24,udp,50 212.212.212.212/32,192.168.10.100/24,udp,51 \ 212.212.212.212/32,192.168.10.100/24,udp,500 212.212.212.212/32,192.168.10.100/24,udp,2746" (In both cases 212.212.212.212 is just a place holder!!! ... not the real ip adress.)
But it does not work ...... no VPN connection is established between my MS client and a system on the companies LAN. When I connect to the internet directly (eg. via an ISDN dial-up connection) it works fine.
Well, one of my thoughts was to modify the MTU/MRU values - but setting
Hi Philipp, regarding the ports: I thought they are needed, as this document describes it: http://www.dk.phoneboy.com/fom-serve/cache/90.html But reading it a second time, after reading you're reply, I've to say: you're totally right!!! (Protocol 50 and not port 50, resp. 51) Anyway: I'll have a look at shorewall ... ;-) c y Torsten ----- Original Message ----- From: "Philipp Rusch" <Philipp.Rusch@rusch-edv.de> To: "T. Ermlich" <pelegrine@hotmail.com>; <suse-security@suse.com> Sent: Friday, January 31, 2003 9:58 PM Subject: Re: [suse-security] SuSEfirewall2 & Checkpoint software them
eg. to 1404 didn't solve it.
Has anyone around there an idea? Can I use the SuSEfirewall2 for this?
Thanks in advance!!!!
c y Torsten
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Philipp Rusch -
T. Ermlich