Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] how to enable ipsec over firewall?
>I need to have access to an external cisco VPN 5000 system from a
>windows box through a Suse Linux Masquarading Router (NAT to german
>T-DSL), the Suse Linux is 6.4 with a 2.2er kernel.

1st. IPSec through a NATing gateway (your Suse box) offen causes problems,
cause NAT modifies paket headers and ipsec wont that behaviour. So install
ipsec directly on your router/firewall.

>In case someone knows about the 8er 2.4 kernel-firewall2-config please
>answer as well we might be able to update this.


>As far as I understand, Ip Port 50 and UDP 500 play a special role

Exactly - the communication goes up on port 50 with protocol 50 using udp.

>but aren't all ports masquaraded by default?

That depends on your firewall setup. If you only set up:


all other traffic is not masqueraded, but to rsync port of gentoo.

>I mean, I can use HTTP, FTP
>(passive), HTTPS, peer to peer networking, do I have to add extra rules
>for 500 or 50? How do I do that?

I suggest to take a late 2.4.18(19) and download patch for ipsec from

> Do I need to apply a kernel patch?

Yep, download as above. The extra rules comes here in SuSEfirewall 2


# 19.)
# Say yes, if you use IPSEC
# Defaults to "no"
# 20.)
# IPSEC device

# 21.)
# local/remote network
# masquerading is disabled through the tunnel automatically,
# if you enabled it above

Get latest version here

>Thanks in advance

Take a look at rule 21. Seems to be one answer on your questions!



< Previous Next >