[CLUE-Tech] Marginally OT: VPN client
Sean LeBlanc
seanleblanc at americanisp.net
Mon Aug 11 19:50:57 MDT 2003
On 08-10 16:29, David Anselmi wrote:
> Sean LeBlanc wrote:
> >Hiya. This isn't specific to Linux, but here goes:
> >
> >Has anyone set up a Cisco 678 to allow VPN through? As of now, I'm trying
> >to
> >get the W2K Cisco client to work.
>
> As Jeremy said, it works without any special adjustments to the 678.
>
> >I googled up a discussion that suggested this:
> >
> >set nat entry add <myinternalip> 1723 <myexternalip> 1723 TCP
> >set nat entry add <myinternalip> 0 <myexternalip> 0 47
>
> This is for PPTP (MS RAS), not IPSec (Cisco VPN). Cisco is UDP port 500
> and IP protocol 50 (IIRC).
>
> >I did this, did a write, and tried my client again. I still get an error
> >message saying the "remote peer is no longer responding."
>
> I got that too, and thought I'd have to do something fancy, or that
> IPSec wouldn't work through NAT. But Cisco's all over that so it does.
> There is a server side setting for this (called NAT traversal, or
> IPSec over UDP) and you might look for something similar on the client.
> Obviously you can't filter the IPSec traffic.
>
> [...]
> >Also, has anyone used a Linux or FreeBSD client? I did some quick googling
> >on the FreeBSD client, and what I saw didn't look too encouraging.
>
> Cisco has a Linux version of their client. I assume it is functional,
> but haven't used it.
Hmm. I'm still having no luck with this. I'm going to try w/o the Linksys in
the equation, but in the meantime, thought I'd post some more info.
That option about IPSec over UDP is the default, and I was told to use that.
A co-worker has cable, and he had the following in iptables:
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p 50 -j ACCEPT
-A OUTPUT -o eth0 -p 50 -j ACCEPT
For grins, I did what I thought would be the Cisco 678 translation:
set nat entry add 10.0.0.2 500
set nat entry add 10.0.0.2 0 50
and put my client machine in the DMZ on LinkSys. No dice.
--
Sean LeBlanc:seanleblanc at americanisp.net
http://users.americanisp.net/~seanleblanc/
Get MLAC at: http://sourceforge.net/projects/mlac/
He who does without the praise of the crowd will not deny himself an
opportunity to be his own adherent.
-Karl Kraus
More information about the clue-tech
mailing list