On 04.07.2009 03:21, Martin wrote: [...] > Here is a diagram, just for fun ;) > > MS-client ==== /ext interface/ Linux GW /internal interface/ ==== LAN > > > What I see is that user completes ipsec auth, and then tries to connect > to the l2tpd's port (7101) on the external interface, and then I must > accept connections in that port, or the vpn connection fails. > > > Any suggestions how to let connections on udp 1701 only to connections > before authenticated by ipsec? On the openswan machine, mark the ESP packets and accept only marked packets to l2tpd daemon: # iptables -t mangle -A PREROUTING -i $EXT_INT -p 50 -j MARK --set-mark 1 # iptables -A INPUT -i $EX_INT -m mark --mark 1 -j ACCEPT # iptables -A INPUT -i $EX_INT -p udp --dport 1701 -j DROP -- Eray -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
