Re: Cisco VPN Client + IP protocol 50 (ESP)
From: x y (jamescagney90210@excite.com)Date: 06/29/02
- Next message: x y: "Re: WHICH ARE THE BEST FIREWALLS???"
- Previous message: Sara: "Re: Netgear RT314 Router- how can I see my served pages from inside my network?"
- In reply to: Darren Beale: "Cisco VPN Client + IP protocol 50 (ESP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "x y" <jamescagney90210@excite.com> Date: Sat, 29 Jun 2002 09:27:13 -0400
Any chance your vpn client is also attempting to use AH in addition to ESP?
It appears you've opened up ESP but not AH. In any case, I would probably
first check the logs on your router/firewall to see what, if anything, is
being blocked.
You could also install a sniffer such as network monitor or ethereal or
sygate firewall or windump [if the client is windows] to see if any traffic
that you aren't expecting is trying to go out.
"Darren Beale" <mail@delete.the.obvious.bealers.com> wrote in message
news:3D1CC6EF.50306@delete.the.obvious.bealers.com...
> Hi there
>
> I'm trying to get a Cisco VPN client talking to a Pix firewall at work.
> However, it has to get through my Linux/IPTables firewall, and I don't
> think I've configured it properly (as it doesn't work)
>
> The Cisco instructions contain this:
> <quote
>
src="http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/nonwin35/use
r_gd/install.htm#xtocid7">
> If you are running a Linux firewall (for example, ipchains or iptables),
> be sure that the following types of traffic are allowed to pass through:
> * UDP port 500
> * UDP port 10000 (or any other port number being used for IPSec/UDP)
> * IP protocol 50 (ESP)
> * TCP port configured for IPSec/TCP
> </quote>
>
> Which has led me to the following rules:
> # allow vpn client
> iptables -I INPUT -p udp --dport 500 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j
ACCEPT
> iptables -I INPUT -p udp --dport 10000 -j ACCEPT
> iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j
> ACCEPT
> #ESP/AH Stuff
> iptables -A INPUT -i ppp0 -p 50 -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o ppp0 -p 50 -m state --state NEW,ESTABLISHED -j
ACCEPT
> iptables -A INPUT -i ppp0 -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o ppp0 -p 50 -mstate --state ESTABLISHED -j ACCEPT
> iptables -A INPUT -i ppp0 -p 51 -m state --state ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o ppp0 -p 51 -m state --state NEW,ESTABLISHED -j
ACCEPT
> iptables -A INPUT -i ppp0 -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT
> iptables -A OUTPUT -o ppp0 -p 51 -mstate --state ESTABLISHED -j ACCEPT
>
> The VPN client still doesn't work
> "Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of
> "DEL_REASON_PEER_NOT_RESPONDING" Annoyingly it works on my wifes XP box
> using the Cisco windose client.
>
> FWIW The firewall machine is running a handbuilt linux using LFS3.0 and
> the client machine is running SUSE 8.0 (the personal-firewall thing is
> not running on the SUSE client)
>
> Can anyone see where I'm going wrong?
>
> best regards
>
> Darren Beale
>
- Next message: x y: "Re: WHICH ARE THE BEST FIREWALLS???"
- Previous message: Sara: "Re: Netgear RT314 Router- how can I see my served pages from inside my network?"
- In reply to: Darren Beale: "Cisco VPN Client + IP protocol 50 (ESP)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
