[TriLUG] iptables and VPNs

Jon Carnes jonc at nc.rr.com
Fri Feb 6 20:43:13 EST 2004


On Fri, 2004-02-06 at 15:58, Tarus Balog wrote:
> Gang:
> 
> Anyone have experience fixing up VPN access through an iptables-based  
> firewall? We have a linux box that acts like a router, and I was  
> recently in need of a VPN connection through that firewall to a  
> client's site. The VPN was by NORTEL, and I had to use the Contivity  
> VPN client for Windows to access it. I *think* it was IKE based, but I  
> am not even sure what that means (grin).
> 
> My connection would establish, but then I would start losing packets  
> (verified by repeated pings) until nothing would go through, over the  
> span of about five minutes. I moved my system outside the firewall and  
> these problems went away.
> 
> Clues?
> 
> -T

If you are going to be doing IPSec through a firewall, then do yourself
a favor and bring up an OpenBSD firewall and use that as your gateway
for any VPN traffic.

You can mangle and coerce a 2.4 linux kernel into allowing IKE to pass
through, but OpenBSD has been doing this (and doing it well) for several
years now.

You might be tired of my beating on this drum, but this is the exact
niche that OpenBSD is designed to serve best...

Jon Carnes




More information about the TriLUG mailing list