Cisco VPN CLient: iptables rules

I am using Cisco VPN Client 4.04 on Linux to log onto the VPN server
at my workplace. I use a standalone RedHat 7.3 laptop at home, with
iptables firewall and connect via a dial-up modem link. (a very simple
setup using old fashioned technology!)

I need advice on setting up iptables on my Linux laptop to work with
VPN Client.
The VPN Client works *fine* in the following cases:

(i) If I turn off the iptables firewall completely; or

(ii) If I use the following iptables rules:

# Allow incoming connections to port 500
iptables -A INPUT -j ACCEPT -p udp --dport 500

# Allow all udp traffic out!
iptables -A OUTPUT -j ACCEPT -p udp

Any ideas for a more elegant replacement to the "all udp" OUTPUT rule?
I have tried every combination of ports 500 and 4500 for this rule I
can think of.

Thanks
Bruce

(E-Mail Removed) <(E-Mail Removed)> wrote:
> I am using Cisco VPN Client 4.04 on Linux to log onto the VPN server
> at my workplace.

I find vpnc a good alternative.


> The VPN Client works *fine* in the following cases:
> (ii) If I use the following iptables rules:

> # Allow incoming connections to port 500
> iptables -A INPUT -j ACCEPT -p udp --dport 500

> # Allow all udp traffic out!
> iptables -A OUTPUT -j ACCEPT -p udp

> Any ideas for a more elegant replacement to the "all udp" OUTPUT rule?

What does wireshark (ethereal), or its command-line friend tshark
(tcpdump) show you? Something like this should show you VPN related
traffic:

tshark -i any -nlp proto UDP and port 500

Once you can see the traffic you should be able to determine the
necessary rules.

Regards,
Chris

On 30 Dec, 13:35, Chris Davies <chris-use...@roaima.co.uk> wrote:
> bruce_phi...@my-deja.com <bruce_phi...@my-deja.com> wrote:
> > I am using Cisco VPN Client 4.04 on Linux to log onto the VPN server
> > at my workplace.
>
> I find vpnc a good alternative.
>
> > The VPN Client works *fine* in the following cases:
> > (ii) If I use the following iptables rules:
> > # Allow incoming connections to port 500
> > iptables -A INPUT -j ACCEPT -p udp --dport 500
> > # Allow all udp traffic out!
> > iptables -A OUTPUT -j ACCEPT -p udp
> > Any ideas for a more elegant replacement to the "all udp" OUTPUT rule?
>
> What does wireshark (ethereal), or its command-line friend tshark
> (tcpdump) show you? Something like this should show you VPN related
> traffic:
>
> tshark -i any -nlp proto UDP and port 500
>
> Once you can see the traffic you should be able to determine the
> necessary rules.
>
> Regards,
> Chris

Thanks, Chris. I may try vpnc.
tcpdump is not included in RH7.3.
Anyways, I am updating to a more modern distribution. Hopefully one
where I do not need to grapple with iptables!
Bruce

On Wed, 31 Dec 2008 01:20:00 -0800, (E-Mail Removed) wrote:

> On 30 Dec, 13:35, Chris Davies <chris-use...@roaima.co.uk> wrote:
>> bruce_phi...@my-deja.com <bruce_phi...@my-deja.com> wrote:
>> > I am using Cisco VPN Client 4.04 on Linux to log onto the VPN server
>> > at my workplace.
>>
>> I find vpnc a good alternative.
>>
>> > The VPN Client works *fine* in the following cases:
>> > (ii) If I use the following iptables rules:
>> > # Allow incoming connections to port 500
>> > iptables -A INPUT -j ACCEPT -p udp --dport 500
>> > # Allow all udp traffic out!
>> > iptables -A OUTPUT -j ACCEPT -p udp
>> > Any ideas for a more elegant replacement to the "all udp" OUTPUT rule?
>>
>> What does wireshark (ethereal), or its command-line friend tshark
>> (tcpdump) show you? Something like this should show you VPN related
>> traffic:
>>
>> tshark -i any -nlp proto UDP and port 500
>>
>> Once you can see the traffic you should be able to determine the
>> necessary rules.
>>
>> Regards,
>> Chris
>
> Thanks, Chris. I may try vpnc.
> tcpdump is not included in RH7.3.
> Anyways, I am updating to a more modern distribution. Hopefully one
> where I do not need to grapple with iptables!
> Bruce

If memory servers me correctly Cisco VPN uses port 10000


--

Regards
Robert

Linux User #296285
http://counter.li.org

Robert <(E-Mail Removed)> wrote:
> If memory servers me correctly Cisco VPN uses port 10000

That's its default, yes, but I see no reason why the OP's server
administrators could not have changed it to 500. (Daft maybe, but
certainly possible.)

Chris