Shorewall users - Nov 2003 - IPSec pass through

Hello People,

I am trying to get one LAN-computer access an remote VPN.

10.0.66.x->my-firewall->----internet----<-remote-firewall<-customer-comp-with-officialIP


http://www.shorewall.net/ports.htm does suggest to put "IPSEC" at the
protocol field.
though IPSEC is not recognized by /etc/protocols
nothing bad, just a useless hint as u need to put "ESP" or
"AH" there

this didnt help either:
ACCEPT  loc:10.0.66.x        net     udp     500
ACCEPT  loc:10.0.66.x        net     udp     4500
ACCEPT  loc:10.0.66.x        net     tcp     10000


the LAN-PC is some w2k-box with Cisco-VPN-client
my FW is running debian(Linux version 2.4.20) with shorewall 1.3.11a




what is the problem? is it me?;)


-- 
${HOME}/.signature:	cannot open: No such file or directory.

> Hello People,
>
> I am trying to get one LAN-computer access an remote VPN.
>
>
10.0.66.x->my-firewall->----internet----<-remote-firewall<-customer-comp-with-officialIP
>
>
> http://www.shorewall.net/ports.htm does suggest to put "IPSEC" at
the
> protocol field. though IPSEC is not recognized by /etc/protocols
> nothing bad, just a useless hint as u need to put "ESP" or
"AH" there
I don''t see what you are talking about. There is one instance of
''IPSEC''
on that page and it is a heading. Under that heading, the text advocates
putting "50" or "51" in the procotol field.

Note that AH cannot be passed through NAT.
>
> this didnt help either:
> ACCEPT  loc:10.0.66.x        net     udp     500
> ACCEPT  loc:10.0.66.x        net     udp     4500
> ACCEPT  loc:10.0.66.x        net     tcp     10000
>
>
> the LAN-PC is some w2k-box with Cisco-VPN-client
> my FW is running debian(Linux version 2.4.20) with shorewall 1.3.11a
>
>
>
>
> what is the problem? is it me?;)
>
Did you look at http://www.shorewall.net/VPN.htm?

-Tom
-- 
Tom Eastep     \ Nothing is foolproof to a sufficiently talented fool
Shoreline       \ http://www.shorewall.net
Washington, USA  \ teastep@shorewall.net