search for: ipsecnat

It seems to me that ipsecnat tunnel type is not complete. Latest drafts of ipsec nat-traversal use udp port 4500 for nat-traversal communications. (It''s called port floating). That is needed to get rid of ugly ipsec passthru devices. Now ipsecnat opens port udp/500 from any source port. And I think ipsecnat won...

Hi guys, I''m trying to setup an IPIP tunnel between a Cisco router and a firewall running Debian GNU/Linux Sarge with Shorewall 2.0.13. I''ve read and implemented the http://shorewall.net/IPIP.htm document, but I don''t understand why there should be at the same time a "tunnel" and a "tunnels" script. Shorewall still refuses to let the

...ication on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally tie each MAC address to an IP address. 3) PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file. 4) A new ''ipsecnat'' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway. 5) The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf. 6) The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is v...

...ication on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally tie each MAC address to an IP address. 3) PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file. 4) A new ''ipsecnat'' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway. 5) The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf. 6) The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is v...

...verification on ethernet segments. You can specify the set of allowed MAC addresses on the segment and you can optionally tie each MAC address to an IP address. 3) PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file. 4) A new ''ipsecnat'' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway. 5) The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf. 6) The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is very sm...

...ame machine. My kernel 2.6.11.10 is patched as needed. The server has an official IP-Adress (no NAT on this side), but some of the clients do use NAT. I figured out that NAT-T connections (RFC 3947) did not work without the "generic:udp:4500" in /etc/shorewall/tunnels: # Road-Warriors ipsecnat net 0.0.0.0/0 road generic:udp:4500 net 0.0.0.0/0 road regards claas

...lo, my setup is rh8 2.4.20-8, shorewall 2.0.7, freeswan-2.04. ------- policy------- vpn loc accept loc vpn accept vpn fw accept fw vpn accept --------------------- --------zone ------- net net loc local dmz dmz vpn vpn ------------------------ ----- tunnels --------- ipsec net 0.0.0.0/0 vpn ipsecnat net 0.0.0.0/0 vpn -------------------------------------- ------ interfaces ------------ net eth0 loc eth1 dmz eth2 vpn ipsec0 --------------------------------- ------ masq -------------- eth0 eth1 ------------------------------- freeswan is installed on the same box as shorewall. looking a...

...l network access #DNAT net vpn:206.214.243.203 udp 4500 #DNAT net vpn:206.214.243.203 udp 500 # Tunnels ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE #ipsec net 0.0.0.0/0 vpn ipsecnat net 0.0.0.0/0 vpn # Zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 l2tp ipv4 vpn ipsec Here are some logs with the above configuration. Traffic appears to...

...IPSEC, GRE, IPIP and OPENVPN tunnels. # # IPIP, GRE and OPENVPN tunnels must be configured on the # firewall/gateway itself. IPSEC endpoints may be defined # on the firewall/gateway or on an internal system. # # The columns are: # # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" # "gre", "pptpclient", "pptpserver" or "openvpn". # # If type is "openvpn", it may optionally be followed # by ":" and the port number used by the tunnel. if no # ":" and port number are included, the...