Thank you Cedric! So my iptables firewall that NATs everything
already has the "vpn pass-thru" box checked?
On 12/11/06, Cedric Blancher <blancher@xxxxxxxxxxxxxxxxxx> wrote:
Le lundi 11 décembre 2006 à 09:50 -0800, rabbtux rabbtux a écrit :
> Thanks for your patience with me :-)
:P
> Customer's IT people ask, "is your ipsec, or vpn pass-thru box
> checked?" so I need to know what iptables rules that linksys/dlink
> have behind this 'feature'.
So you want to know what Linksys does when one checks IPSEC passthrough
box ?... Well, actually, they just do nothing. They do something when
the box is unchecked in fact.
>From WRT54G source code, you'll see IPSec Passthrough being activated by
default, i.e. when ipsec_pass=1 in NVRAM. Then look at firewall.c file:
/* DROP packets for IPsec pass through */
if (nvram_match("ipsec_pass", "0"))
save2file("-A FORWARD -o %s -p udp -m udp --dport %d -j %s\n"
, wanface, ISAKMP_PORT, log_drop);
The same goes for PPTP and L2TP. So basicly, they NAT everything, and if
you happen to uncheck a VPN protocol passthrough checkbox, they block
this protocol.
So back to what I was saying: IPSEC with ESP only in transport mode or
NAT-Traversal.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
