[fwd] "IPsec-pass-through" with iptables? (from: ASkwar@xxxxxxxxxxxxxxxxx)

lists.ASkwar@xxxxxxxxxxxxxxxxx (Alexander Skwar) · Tue, 26 Nov 2002 17:09:16 +0100

Hello!=20

I'm trying to connect with a Windows PC running a AT&T client software=20
to my companies VPN gateway and fail to do so.  The Windows PC is=20
connected to my home LAN with a Linux gateway doing IP masquerading.=20
The setup is like this:=20

        -------        -------        =3D=3D=3D=3D=3D=3D=3D=3D    -------=
=20
        - Win - -Lan-> - Lin - -DSL-> =3D Inet =3D -> - VPN -=20
        -------    /   -------        =3D=3D=3D=3D=3D=3D=3D=3D    -------=
=20
                  /=20
        -------  /=20
        - PC2 - -=20
        -------=20

As you can see, the "Lin" Linux gateway is connected to the Internet=20
through a "dial-up" DSL connection.  My DSL provider doesn't provide=20
static IPs, so it is using dynamic IPs ;)=20

For my internal LAN, I'm using IP masquerading, so that I'm able=20
to connect to the Internet with more than 1 PC.=20

The supporters here at my company tell me, that I'm unable to connect=20
to the companies VPN servers, because my Linux router doesn't do/support=20
"IPsec-pass through".  Well, that might be the case, I don't know.=20

How do I have to setup my Linux 2.4.20 router using iptables v1.2.6a=20
so that it does "IPsec pass through"?=20

Here's the output of iptables-save:=20

# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*filter
:INPUT ACCEPT [154463:26208407]
:FORWARD ACCEPT [10780:550322]
:OUTPUT ACCEPT [170787:53607884]
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT=20
-A INPUT -i eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT=20
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT=20
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT=20
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT=20
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT=20
-A FORWARD -s 10.20.30.0/255.255.255.0 -j ACCEPT=20
COMMIT
# Completed on Tue Nov 26 17:08:56 2002
# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*nat
:PREROUTING ACCEPT [18806:973058]
:POSTROUTING ACCEPT [8453:605815]
:OUTPUT ACCEPT [5835:635949]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081=
=20
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1214 -j DNAT --to-destination 1=
0.20.30.22:1214=20
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 1=
0.20.30.22:4662=20
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 1=
0.20.30.22:6346=20
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6699 -j DNAT --to-destination 1=
0.20.30.22:6699=20
-A PREROUTING -i ppp0 -p udp -m udp --dport 1214 -j DNAT --to-destination 1=
0.20.30.22:1214=20
-A PREROUTING -i ppp0 -p udp -m udp --dport 6257 -j DNAT --to-destination 1=
0.20.30.22:6257=20
-A PREROUTING -i ppp0 -p udp -m udp --dport 6346 -j DNAT --to-destination 1=
0.20.30.22:6346=20
-A POSTROUTING -s 10.20.30.0/255.255.255.0 -j MASQUERADE=20
COMMIT
# Completed on Tue Nov 26 17:08:56 2002

Thanks a lot!=20

Alexander Skwar
--=20
How to quote:	http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:	http://www.iso-top.biz     |    Jabber: askwar@a-message.de
   iso-top.biz - Die g=FCnstige Art an Linux Distributionen zu kommen
                       Uptime: 8 hours 39 minutes