Cisco VPN Client + IP protocol 50 (ESP)

From: Darren Beale (mail@delete.the.obvious.bealers.com)
Date: 06/28/02 

From: Darren Beale <mail@delete.the.obvious.bealers.com>
Date: Fri, 28 Jun 2002 20:28:31 +0000

Hi there

I'm trying to get a Cisco VPN client talking to a Pix firewall at work.
However, it has to get through my Linux/IPTables firewall, and I don't
think I've configured it properly (as it doesn't work)

The Cisco instructions contain this:
<quote
src="http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/nonwin35/user_gd/install.htm#xtocid7">
If you are running a Linux firewall (for example, ipchains or iptables),
be sure that the following types of traffic are allowed to pass through:
* UDP port 500
* UDP port 10000 (or any other port number being used for IPSec/UDP)
* IP protocol 50 (ESP)
* TCP port configured for IPSec/TCP
</quote>

Which has led me to the following rules:
# allow vpn client
iptables -I INPUT -p udp --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 -m state --state ESTABLISHED -j ACCEPT
iptables -I INPUT -p udp --dport 10000 -j ACCEPT
iptables -I OUTPUT -p udp --sport 10000 -m state --state ESTABLISHED -j
ACCEPT
#ESP/AH Stuff
iptables -A INPUT -i ppp0 -p 50 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p 50 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p 50 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p 50 -mstate --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p 51 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p 51 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p 51 -mstate --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p 51 -mstate --state ESTABLISHED -j ACCEPT

The VPN client still doesn't work
"Unable to establish Phase 1 SA with server "xxx.xxx.xxx.xxx" because of
"DEL_REASON_PEER_NOT_RESPONDING" Annoyingly it works on my wifes XP box
using the Cisco windose client.

FWIW The firewall machine is running a handbuilt linux using LFS3.0 and
the client machine is running SUSE 8.0 (the personal-firewall thing is
not running on the SUSE client)

Can anyone see where I'm going wrong?

best regards

Darren Beale

Relevant Pages

  • Re: ipfw, NAT and CISCO IPSec VPNs
    ... is working tickety-boo, but I'm trying to tweak my firewall rules (ipfw, ... CISCO IPSec-based VPN client on a local machine to connect to a remote ... connected a simple Linksys router device to replace my FreeBSD router ... I then tried to do away with OpenBSD's pf, and I tried IPFILTER (IPF) ...
    (freebsd-questions)
  • Re: VPN USERS - Question For Mark Renoden and Phillip Windell
    ... >> I know is not intended to have both interfaces in the same subnet but ... The Firewall ans SecureNAT Service require a properly ... By default, PIX ... The VPN Client must use Split-Tunneling in this case and ...
    (microsoft.public.isa)
  • Cisco VPN Client + IP protocol 50 (ESP)
    ... I'm trying to get a Cisco VPN client talking to a Pix firewall at work. ... UDP port 10000 ...
    (comp.security.firewalls)
  • Firewall Admin Needed!
    ... Position: CISCO FIREWALL ADMIN ... Installation and administration of the following firewall server ... and installation of the following VPN client technologies:(Symantec VPN ...
    (comp.security.firewalls)
  • Re: Firewall Blocking when off
    ... I have no other firewall software. ... The program is Nortel VPN Client v4_15. ... Banner Display box with security information. ... I am able to run the VPN CLient. ...
    (microsoft.public.windowsxp.security_admin)