Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] how to enable ipsec over firewall?
>I need to have access to an external cisco VPN 5000 system from a
>windows box through a Suse Linux Masquarading Router (NAT to german
>T-DSL), the Suse Linux is 6.4 with a 2.2er kernel.

1st. IPSec through a NATing gateway (your Suse box) offen causes problems,
cause NAT modifies paket headers and ipsec wont that behaviour. So install
ipsec directly on your router/firewall.

>In case someone knows about the 8er 2.4 kernel-firewall2-config please
>answer as well we might be able to update this.

Hääää????

>As far as I understand, Ip Port 50 and UDP 500 play a special role

Exactly - the communication goes up on port 50 with protocol 50 using udp.

>but aren't all ports masquaraded by default?

That depends on your firewall setup. If you only set up:

FW_MASQ_NETS="192.168.1.0/16,rsync.gentoo.org,tcp,873"

all other traffic is not masqueraded, but to rsync port of gentoo.

>I mean, I can use HTTP, FTP
>(passive), HTTPS, peer to peer networking, do I have to add extra rules
>for 500 or 50? How do I do that?

I suggest to take a late 2.4.18(19) and download patch for ipsec from

ftp.xs4all.nl/crypty/freeswan

> Do I need to apply a kernel patch?

Yep, download as above. The extra rules comes here in SuSEfirewall 2

snip
----

# 19.)
# Say yes, if you use IPSEC
# Defaults to "no"
#
FW_IPSEC="yes"
#
# 20.)
# IPSEC device
#
FW_DEV_IPSEC="ipsec0"

# 21.)
# local/remote network
# masquerading is disabled through the tunnel automatically,
# if you enabled it above
#
FW_IPSEC_LOCALNET="192.168.1.0/24"
FW_IPSEC_REMOTENET="192.168.2.0/24"
----
snap

Get latest version here

http://www.suse.com/~marc/SuSEfirewall2-2.1.tar.gz

>Thanks in advance
>Jochen

Take a look at rule 21. Seems to be one answer on your questions!

Yours

Michael


< Previous Next >