It seems to me that ipsecnat tunnel type is not complete.
Latest drafts of ipsec nat-traversal use udp port 4500 for nat-traversal
communications. (It''s called port floating). That is needed to get rid
of ugly ipsec passthru devices.
Now ipsecnat opens port udp/500 from any source port.
And I think ipsecnat won''t work at all with gw zone defined?
I''m not
sure about that because I didn''t have time to test.
--- firewall~ 2002-12-28 11:27:57.000000000 +0200
+++ firewall 2003-01-07 00:58:08.000000000 +0200
@@ -1344,6 +1344,7 @@
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport
500 $options
else
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
+ run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
fi
for z in `separate_list $3`; do
--
Tuomo Soini <tis@foobar.fi>
http://tis.foobar.fi/
--On Tuesday, January 07, 2003 01:01:49 AM +0200 Tuomo Soini <tis@foobar.fi> wrote:> It seems to me that ipsecnat tunnel type is not complete. > > Latest drafts of ipsec nat-traversal use udp port 4500 for nat-traversal > communications. (It''s called port floating). That is needed to get rid of > ugly ipsec passthru devices. > > Now ipsecnat opens port udp/500 from any source port. > > And I think ipsecnat won''t work at all with gw zone defined? I''m not sure > about that because I didn''t have time to test. > > --- firewall~ 2002-12-28 11:27:57.000000000 +0200 > +++ firewall 2003-01-07 00:58:08.000000000 +0200 > @@ -1344,6 +1344,7 @@ > run_iptables -A $inchain -p udp -s $1 --sport 500 --dport > 500 $options else > run_iptables -A $inchain -p udp -s $1 --dport 500 $options > + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options > fi > > for z in `separate_list $3`; do >Thanks, Tuomo -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
--On Tuesday, January 07, 2003 01:01:49 AM +0200 Tuomo Soini <tis@foobar.fi> wrote:> > And I think ipsecnat won''t work at all with gw zone defined? I''m not sure > about that because I didn''t have time to test. >Did you have something like this in mind? RCS file: /usr/local/cvs/Shorewall/firewall,v retrieving revision 1.156 diff -a -u -r1.156 firewall --- firewall 6 Jan 2003 22:57:05 -0000 1.156 +++ firewall 6 Jan 2003 23:16:26 -0000 @@ -1367,12 +1367,18 @@ run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options else run_iptables -A $inchain -p udp -s $1 --dport 500 $options + run_iptables -A $inchain -p udp -s $1 --dport 4500 $options fi for z in `separate_list $3`; do if validate_zone $z; then addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options - addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + if [ $2 = ipsec ]; then + addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options + else + addrule ${z}2${FW} -p udp --dport 500 $options + addrule ${z}2${FW} -p udp --dport 4500 $options + fi else error_message "Warning: Invalid gateway zone ($z)" \ " -- Tunnel \"$tunnel\" may encounter keying problems" -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.sf.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Did you have something like this in mind?Yes. It seemd to me that there was no ipsecnat support if gw zone was defined. But because I have not used gw zone I was not sure if that''s necessary. -- Tuomo Soini <tis@foobar.fi> http://tis.foobar.fi/