Networking Forums
Home Register Members Search Links
Member Login:

Networking Forums > Computer Networking > Linux Networking > VPN using ESP protocol, problems with firewall

Reply
Thread Tools Display Modes

VPN using ESP protocol, problems with firewall

 
 
Jon Rook
Guest
Posts: n/a

 
      08-14-2003, 04:24 AM
Hi again,
I've been trying to enable VPN access from my laptop on my home network
through my RH7.2 Router/Firewall without much success.
I'm use a Cisco VPN application on the Win2K laptop that has settings
for transparent tunneling using either UDP (default), or TCP. The
documentation for this application says that it will not work with a
stateful firewall, hence I'm using IPCHAINS.

There are two phases to using the VPN. 1) loggin in, and 2) accessing
services from the remote site like mail etc. I am able to successfully
log in to the remote site. Using ethereal, I am able to see a two-way
communication via UDP during this setup phase.

When I open my mail application, everything grinds to a halt. Ethereal
tells me that my laptop is sending numerous packets that are being
blocked by my IPCHAINS firewall. I.e, the packets appear on the local
network side of the firewall, but not on the 'outside' interface.

Ethereal says that the protocol for these packets is "ESP", and the
protocol number is 0x32. In my firewall, I have tried to allow these
packets through. I think the following rules should allow traffic from
the remote VPN machine to pass through my firewall.

$IPC -A input -i $EXTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT
$IPC -A output -i $INTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT

There are similar rules for outbound traffic from my laptop to the
remote server.

$IPC -A input -i $INTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT
$IPC -A output -i $EXTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT

There doesn't appear to be a standard UDP port number associated with
these packets.

A couple of questions.
1)If I look in the /etc/protocols file, it tells me that protocol 50
(0x32) is called "IPv6-Crypt" yet ethereal says that these packets are
"ESP". I tried putting "-p ESP" in the chains rules above and got
errors saying that there was no such protocol. The /etc/protocols file
contains no listing for ESP. That was why I tried to use the protocol
number. Are ESP and IPv6-Crypt the same thing? (I'm not using IPv6)

2) Does anyone see anything wrong with the rules I've listed above?

Any help would greatly appreciated

Thanks
Jon Rook
 
Reply With Quote
 
 
 
 
Whoever
Guest
Posts: n/a

 
      08-14-2003, 06:39 AM
On Thu, 14 Aug 2003, Jon Rook wrote:

> Hi again,
> I've been trying to enable VPN access from my laptop on my home network
> through my RH7.2 Router/Firewall without much success.
> I'm use a Cisco VPN application on the Win2K laptop that has settings
> for transparent tunneling using either UDP (default), or TCP. The
> documentation for this application says that it will not work with a
> stateful firewall, hence I'm using IPCHAINS.

You appear to be using an IPSEC VPN which is neither a UDP VPN nor a TCP
VPN. Unless you have the appropriate configuration for IPSEC MASQ, it
won't work (assuming your router/firewall is a NAT/MASQ firewall). At one
time, this required a kernel patch -- I don't know if it was ever
incorporated into the standard kernel.

You can write a mixture of stateful and non-stateful rules with IPTABLES.
There is no need to use IPCHAINS.

>
> There are two phases to using the VPN. 1) loggin in, and 2) accessing
> services from the remote site like mail etc. I am able to successfully
> log in to the remote site. Using ethereal, I am able to see a two-way
> communication via UDP during this setup phase.
>
> When I open my mail application, everything grinds to a halt. Ethereal
> tells me that my laptop is sending numerous packets that are being
> blocked by my IPCHAINS firewall. I.e, the packets appear on the local
> network side of the firewall, but not on the 'outside' interface.
>
> Ethereal says that the protocol for these packets is "ESP", and the
> protocol number is 0x32. In my firewall, I have tried to allow these
> packets through. I think the following rules should allow traffic from
> the remote VPN machine to pass through my firewall.
>
> $IPC -A input -i $EXTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT
> $IPC -A output -i $INTIF -p 50 -s {addr.of.remote.VPN} -j ACCEPT
>

You need to enable Protocol 51 as well.


> There are similar rules for outbound traffic from my laptop to the
> remote server.
>
> $IPC -A input -i $INTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT
> $IPC -A output -i $EXTIF -p 50 -d {addr.of.remote.VPN} -j ACCEPT

You need to enable Protocol 51 as well.
>
 
Reply With Quote
Reply

« Multicast client RHL 8 C code | realtek 8139 driver problem »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Enable VPN PPTP protocol in firewall logs out MS-Messenge Icarus Windows Networking 1 11-14-2005 10:22 PM
VPNclient, protocol ESP, AH and firewall Matthias Apitz Linux Networking 3 07-12-2005 07:44 AM
HOW FIREWALL WORKS WITH URL FILTERING SERVER USING UFP PROTOCOL siddurampure@yahoo.co.in Linux Networking 0 01-25-2005 05:59 AM
Protocol Chart - Learn how to use a Protocol Analyzer news.comcast.giganews.com Network Routers 0 08-21-2004 04:51 PM
ADSL Firewall not passing Web protocol Dave Stauffer Linux Networking 1 12-23-2003 12:08 PM


Forum Software Powered by vBulletin®, Copyright Jelsoft Enterprises Ltd.
SEO by vBSEO 3.3.2 ©2009, Crawlability, Inc.
Contact Us - Archive - Privacy Statement - Top

1 2 3 4 5 6 7 8 9 10 11