-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 21 May 2004 12:19, Antony Stone wrote: > How do you route reply packets from those two public IPs back to the > sender? Ok problem with UDP solved...again many many thanks ! But a little problem still remain with IPSEC. On Firewall we have OpenSwan to connect from remote places. Inside our INTRANET, however some of us use IPSEC clients, such SSH Sentinel or SafeNet LT, to connect to remote IPSEC (using NAT-T Encapsulation). What happens when an intranet's user (10.0.0.40) try to connect to remote IPSEC server (81.113.x.y) ? 10.0.0.40 -----> [MASQ - 10.0.0.1] ----> 81.113.x.y 10.0.0.40 <-xx- [MASQ - 10.0.0.1] <--- 81.113.x.y the reply to IPSEC packet was NOT forwarded and take by OpenSwan on 10.0.0.1 with, of course, "who are you and why the f&%k calling me ?". To enable firewall (10.0.0.1) accepting IPSEC connection i've used the following rules: # IPSEC $IPTABLES -A INPUT -i $INET_IFACE -p udp --dport 500 -j ACCEPT $IPTABLES -A INPUT -i $INET_IFACE -p 50 -j ACCEPT $IPTABLES -A INPUT -i $INET_IFACE -p 51 -j ACCEPT How i can keep working correctly MASQ ? Oz - -- I always had a repulsive need to be something more than human. -- David Bowie -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFArg1oYuBSFbgkEysRAn8EAKDftszKctvX4gDK8G98HEDqllCvxgCguUy6 sZQ3BxQzAEucvi8yXa0XAbE= =cPye -----END PGP SIGNATURE-----
