Re: [suse-security] how to enable ipsec over firewall?
I need to have access to an external cisco VPN 5000 system from a windows box through a Suse Linux Masquarading Router (NAT to german T-DSL), the Suse Linux is 6.4 with a 2.2er kernel.
1st. IPSec through a NATing gateway (your Suse box) offen causes problems, cause NAT modifies paket headers and ipsec wont that behaviour. So install ipsec directly on your router/firewall.
In case someone knows about the 8er 2.4 kernel-firewall2-config please answer as well we might be able to update this.
Hääää????
As far as I understand, Ip Port 50 and UDP 500 play a special role
Exactly - the communication goes up on port 50 with protocol 50 using udp.
but aren't all ports masquaraded by default?
That depends on your firewall setup. If you only set up: FW_MASQ_NETS="192.168.1.0/16,rsync.gentoo.org,tcp,873" all other traffic is not masqueraded, but to rsync port of gentoo.
I mean, I can use HTTP, FTP (passive), HTTPS, peer to peer networking, do I have to add extra rules for 500 or 50? How do I do that?
I suggest to take a late 2.4.18(19) and download patch for ipsec from ftp.xs4all.nl/crypty/freeswan
Do I need to apply a kernel patch?
Yep, download as above. The extra rules comes here in SuSEfirewall 2 snip ---- # 19.) # Say yes, if you use IPSEC # Defaults to "no" # FW_IPSEC="yes" # # 20.) # IPSEC device # FW_DEV_IPSEC="ipsec0" # 21.) # local/remote network # masquerading is disabled through the tunnel automatically, # if you enabled it above # FW_IPSEC_LOCALNET="192.168.1.0/24" FW_IPSEC_REMOTENET="192.168.2.0/24" ---- snap Get latest version here http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz
Thanks in advance Jochen
Take a look at rule 21. Seems to be one answer on your questions! Yours Michael
On Tue, 17 Sep 2002, GentooRulez wrote:
[sombody else wrote:] As far as I understand, Ip Port 50 and UDP 500 play a special role
Exactly - the communication goes up on port 50 with protocol 50 using udp.
??? Ipsec uses *IP protocol* number 50 (IPv6-Crypt, look at /etc/protocols) for data echange, and *UDP port* number 500 (isakmp -> /etc/services) for key exchange. Please don't complicate matters further by confusing ports and protocols... Cheers, Martin
Hi Michael,
In case someone knows about the 8er 2.4 kernel-firewall2-config please answer as well we might be able to update this.
Hääää????
Translated: In case you knew how to configure Suse 8, i'll get Suse 8 running on our firewall. ;)
Do I need to apply a kernel patch?
Yep, download as above. The extra rules comes here in SuSEfirewall 2
Okay, I used Suse 8 free s/wan since it was in a version that also way at the site you mentioned, and installed the free s/wan kernel module that Suse provides.
FW_DEV_IPSEC="ipsec0"
Okay, the silly thing is that I don't have such an device in /dev/etc. I should probably check my free s/wan configuration?
I checked that and it does seem to be the same 2.1-er-version that comes with Suse 8. Line 306 of the executable scans for FW_DEV_IPSEC, but does expect a "yes" instead of a device? echo " $FW_DEV_EXT $FW_DEV_DMZ $FW_DEV_INT " | grep -q ipsec && FW_DEV_IPSEC=yes from line 537 it also tests for FW_DEV_IPSEC for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null echo 0 > $i/accept_source_route 2> /dev/null test -z "$FW_DEV_IPSEC" && echo 1 > $i/rp_filter 2> /dev/null echo 0 > $i/mc_forwarding 2> /dev/null done As to your configuration, you write "extra rules", so I understand to append them. I just wanted to remark that there do not seem to be some kind of defaults for ipsec - rule 19 is about # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. and Rule 20 is "Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall."
Take a look at rule 21. Seems to be one answer on your questions!
Actually it does, yes, and thanks. bye, Jochen
participants (3)
-
GentooRulez
-
Jochen Staerk
-
Martin Köhling