VPN / ipchains / masquerade linux 2.4.22

hey all together,

i know this is a kind of annoying but again i have a question about
VPN Masquerading with ipchains.

Okay lets start with my network setup:

Win/VPN Client
Win/other CLient ---> Linux / iptables masq --> internet --> VPN
Server
....

The internal IP addresse are all some kind of 192.168.203.*

The Linux box is up with a 2.4.22 kernel. following ipchains are now
inserted:

ipchains -L
Chain input (policy ACCEPT):
Chain forward (policy DENY):
target prot opt source destination
ports
MASQ all ------ 192.168.203.0/24 anywhere n/a
Chain output (policy ACCEPT):

So every-thing internal is routed to external.

Now this is what I want:
The VPN won't conntact to the VPN Server of my work. It'S a nortel
Client with IpSec and says something about: can't get Banner.

Now I already know that I have to open the Port 500. Now ipchains -L
says:

Chain input (policy ACCEPT):
target prot opt source destination
ports
ACCEPT udp ------ anywhere anywhere any
-> isakmp
Chain forward (policy DENY):
target prot opt source destination
ports
MASQ all ------ 192.168.203.0/24 anywhere n/a
Chain output (policy ACCEPT):

So port 500 is quite open. Now the VPN CLient still says the same.

What should i do? do i have to open another set of ports? I can't
really get the clue of the dosuments located at:
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

Can anybody help and tell what to do next?

thanks in advanced

-Thijs Metsch

HI!

Recently I've read something about that. The problem ist NAT. NAT
manipulates the IP-packets and that's not "allowed". There's just one way:
You have to encapsulate (masq) ESP-packets into UDP-packets. That reason for
you have to have ipsec-traverse support compiled into you kernel. But that's
only possible for ESP-protocol whereas in case of AH it's not.
Initially I thought it's just a few config-lines to add but...well... it's
not that easy.
But I didn't test it yet... it's just that I've read about...



"Thijs Metsch" <(E-Mail Removed)> schrieb im Newsbeitrag
news:(E-Mail Removed) om...
> hey all together,
>
> i know this is a kind of annoying but again i have a question about
> VPN Masquerading with ipchains.
>
> Okay lets start with my network setup:
>
> Win/VPN Client
> Win/other CLient ---> Linux / iptables masq --> internet --> VPN
> Server
> ...
>
> The internal IP addresse are all some kind of 192.168.203.*
>
> The Linux box is up with a 2.4.22 kernel. following ipchains are now
> inserted:
>
> ipchains -L
> Chain input (policy ACCEPT):
> Chain forward (policy DENY):
> target prot opt source destination
> ports
> MASQ all ------ 192.168.203.0/24 anywhere n/a
> Chain output (policy ACCEPT):
>
> So every-thing internal is routed to external.
>
> Now this is what I want:
> The VPN won't conntact to the VPN Server of my work. It'S a nortel
> Client with IpSec and says something about: can't get Banner.
>
> Now I already know that I have to open the Port 500. Now ipchains -L
> says:
>
> Chain input (policy ACCEPT):
> target prot opt source destination
> ports
> ACCEPT udp ------ anywhere anywhere any
> -> isakmp
> Chain forward (policy DENY):
> target prot opt source destination
> ports
> MASQ all ------ 192.168.203.0/24 anywhere n/a
> Chain output (policy ACCEPT):
>
> So port 500 is quite open. Now the VPN CLient still says the same.
>
> What should i do? do i have to open another set of ports? I can't
> really get the clue of the dosuments located at:
> http://www.impsec.org/linux/masquerade/ip_masq_vpn.html
>
> Can anybody help and tell what to do next?
>
> thanks in advanced
>
> -Thijs Metsch