Hello, 1st question: Has anyone setup an L2TP client to pass through shorewall when the client initiates the connection from behind shorewall on the local lan out to some remote gateway/firewall site? 2nd question:>From what I''ve read (correct me if I''m wrong) on L2TP that is it encapsalates everything intoipsec IP 50 (ESP) and UDP 500 (IKE)? 3rd question: If thats true then I would just need to follow the ipsec setup on the Shorewall site? Thanks, Joshua Banks __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
On Fri, 8 Aug 2003, Joshua Banks wrote:> > 2nd question: > >From what I''ve read (correct me if I''m wrong) on L2TP that is it encapsalates everything into > ipsec IP 50 (ESP) and UDP 500 (IKE)? >No -- L2TP is L2TP (P stands for PROTOCOL!). It is protocol 115. What you are describing above is IPSEC.> 3rd question: > If thats true then I would just need to follow the ipsec setup on the Shorewall site? >It "should just work" if you have the standard loc->net policy of ACCEPT -- but I haven''t tried it. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Fri, 8 Aug 2003, Tom Eastep wrote:> > It "should just work" if you have the standard loc->net policy of ACCEPT >But you might need to forward protocol 115 to the local client system. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Nope. L2TP and IPSec are totally different, what you''re talking about relates to IPSec. L2TP uses IP/GRE and port 1701 TCP. --On Friday, August 08, 2003 17:26 -0700 Joshua Banks <l0f33t@yahoo.com> wrote:> Hello, > > 1st question: > Has anyone setup an L2TP client to pass through shorewall when the client > initiates the connection from behind shorewall on the local lan out to > some remote gateway/firewall site? > > 2nd question: >> From what I''ve read (correct me if I''m wrong) on L2TP that is it >> encapsalates everything into > ipsec IP 50 (ESP) and UDP 500 (IKE)? > > 3rd question: > If thats true then I would just need to follow the ipsec setup on the > Shorewall site? > > Thanks, > Joshua Banks > > __________________________________ > Do you Yahoo!? > The New Yahoo! Search - Faster. Easier. Bingo. > http://search.yahoo.com > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Michael Loftis Modwest Sr. Systems Administrator Powerful, Affordable Web Hosting
Thanks Tom, I thought that IP 115 was encapsalated into IP 50(ESP). Atleast thats my understanding from what I''ve read so far. Anyways this was just a curiosity question. My girlfriend might possibly be using the L2TP protocol to tunnel into work. Thanks, JBanks --- Tom Eastep <teastep@shorewall.net> wrote:> On Fri, 8 Aug 2003, Joshua Banks wrote: > > > > > 2nd question: > > >From what I''ve read (correct me if I''m wrong) on L2TP that is it encapsalates everything into > > ipsec IP 50 (ESP) and UDP 500 (IKE)? > > > > No -- L2TP is L2TP (P stands for PROTOCOL!). It is protocol 115. What you > are describing above is IPSEC. > > > 3rd question: > > If thats true then I would just need to follow the ipsec setup on the Shorewall site? > > > > It "should just work" if you have the standard loc->net policy of ACCEPT > -- but I haven''t tried it. > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
On Fri, 8 Aug 2003, Joshua Banks wrote:> Thanks Tom, > > I thought that IP 115 was encapsalated into IP 50(ESP). >You may be right -- as I said, I''ve not tried it... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
--- Michael Loftis wrote:> Nope.> > L2TP and IPSec are totally different, what you''re talking about relates to > IPSec. L2TP uses IP/GRE and port 1701 TCP.Ok.. I see. I reread the doc that I was looking at and I guess to make L2TP more secure you can use L2TP/ipsec.http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/cableguy/cg0801.asp --------------------------------- Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo.
Joshua Banks wrote:>>From what I''ve read (correct me if I''m wrong) on L2TP that is it encapsalates everything into > ipsec IP 50 (ESP) and UDP 500 (IKE)? >You are not talking about l2tp here. You are talking about l2tp-over-ipsec (RFC3193). So You need to pass ipsec for that to work. -- Tuomo Soini <tis@foobar.fi> Linux and network services Foobar Oy <http://foobar.fi/>