[TriLUG] iptables and VPNs

Brian Weaver weave at oculan.com
Fri Feb 6 17:06:33 EST 2004


Scratch that!!!

I should have used 'DNAT', Doh!

-Weave


Brian Weaver wrote:
> I use to have a configuration for this, but then Nortel axed my reason 
> for keeping the config current.
> 
> If it is for Nortel they should be able to get you the information. I 
> got the information for setting up my firewall from Nortel. I probably 
> would still have the config but the disk with it bit the dust, that 
> didn't help.
> 
> I saw this (found using google)
> 
> ---
> Hi,
> 
> You need to open UDP port no. 500 in case if you are using IPSec/IKE as the
> protocol.  Otherwise you need to open TCP port no. 1723 in case you are
> using PPTP.  For L2TP, it is 1701.
> 
> 
> ---
> 
> Port 500 rings a bell. I think I just did something SIMILAR to:
> 
> iptables -t nat -A PREROUTING -s ${NORTEL}/32 \
>     -d ${FWHOST}/32 -p udp --destination-port 500 \
>     -j SNAT --to-source ${WINDOWS}
> 
> 
> 
> -Weave
> 
> 
> Tarus Balog wrote:
> 
>> Gang:
>>
>> Anyone have experience fixing up VPN access through an iptables-based  
>> firewall? We have a linux box that acts like a router, and I was  
>> recently in need of a VPN connection through that firewall to a  
>> client's site. The VPN was by NORTEL, and I had to use the Contivity  
>> VPN client for Windows to access it. I *think* it was IKE based, but 
>> I  am not even sure what that means (grin).
>>
>> My connection would establish, but then I would start losing packets  
>> (verified by repeated pings) until nothing would go through, over the  
>> span of about five minutes. I moved my system outside the firewall 
>> and  these problems went away.
>>
>> Clues?
>>
>> -T
>>
>> ________________________________________________________________________ 
>> ___
>> Tarus Balog, OpenNMS Maintainer            Main:        +1 919 545 2553
>> Blast Internet Services, Inc.            Fax:            +1 503-961-7746
>> Email: tarus at opennms.org                URL: http://www2.blast.com/tarus
>> PGP Key Fingerprint: 8945 8521 9771 FEC9 5481  512B FECA 11D2 FD82 B45C
>>



More information about the TriLUG mailing list