Shorewall users - May 2004 - RE: what isneededforipsecpass through withstaticnat (rfc1918 static nattoroutable8ip subnet)

Hi Andy,

As the IPSEC stuff is rather OT for this list I will email you directly.

Axel


-----Original Message-----
From: shorewall-users-bounces@lists.shorewall.net
[mailto:shorewall-users-bounces@lists.shorewall.net] On Behalf Of
Andreas Bittner
Sent: Freitag, 7. Mai 2004 23:50
To: shorewall-users@lists.shorewall.net
Subject: Re: [Shorewall-users] what isneededforipsecpass through
withstaticnat (rfc1918 static nattoroutable8ip subnet)
> First of all, I am missing your IKE entries (UDP port 500).
what do you mean, like i said earlier, i have the following lines in my
rules file

ACCEPT  net:145.253.216.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.216.28      loc:192.168.100.112 51
ACCEPT  net:145.253.216.28      loc:192.168.100.112 udp 500,4500

ACCEPT  net:145.253.218.28      loc:192.168.100.112 50
#ACCEPT  net:145.253.218.28      loc:192.168.100.112 51
ACCEPT  net:145.253.218.28      loc:192.168.100.112 udp 500,4500

the loc zone is allowed to do everything towards the inet, and tom
advised me to add these entries, as it is also similar to the last table
on the bottom of the page http://www.shorewall.net/VPN.htm
> Also, what kind of identification are you using (ADDRESS=IP, or
> USER_FDQN, or FQDN) ? This should actually be defined by Acor.
this is a good question, since i am really not in charge of the whole
stuff with these ipsec tests, but i hear that arcor provides some
website, which generates some entries in the windows registry by
active-x/internetexplorer means or something, which set the policies and
stuff you refer to.

i dont think its fqdn or address/ip since this works all fine if i
connect the win2k box to the internet with simple dialup/modem/isdn. now
i am trying to access the ipsec servers of arcor from inside a small
company lan wich has those 8 official ip addresses as i described
before.

i am not much of an ipsec expert, but what identifiaction would you
think about in these scenarios? i heard something about preshared keys
or whatever, since this ipsec access is being used by some people
traveling/roadwarriors and we want to use it for remote access of
another company lan.

so its probably not something related to fqdn/ip-addresses since these
change all the time when i use modem/dialup/isdn or connect from
different places to the public inet, and then want to establish the
ipsec tunnel to arcor.

or what do you think?

thanks.
andy




_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm

just one more information for now, its working now, after installing
this 818043 l2tp/ipsec nat-t update for win2k

http://support.microsoft.com/default.aspx?scid=kb;en-us;818043

i havent changed anything on the linux firewall since my last mail, so
this update is handling nat stuff better now.

no more raw entries in netstat-nat only:

udp 17 179 src=192.168.100.112 dst=145.253.216.28 sport=4500 dport=4500
src=145.253.216.28 dst=123.123.123.125 sport=4500 dport=4500 [ASSURED]
use=1

and

udp 192.168.100.112:4500 145.253.216.28:4500 ASSURED



i didnt look in the first place if this update was installed, as
windowsupdate didnt display that it was missing, and i manually
downloaded the patch from the windowsupdate catalog, and forced to
install it.

thanks again for all the help. andy.