Re: Connection to SonicWall VPN through Linux IPTABLES Firewall/Proxy

ajkessel wrote:

> [...]
> I'm pretty much stumped.

Actually I'm not surprised. If you read my postings in this thread
carefully again ypu might realize that I told you already several days
ago to terminate the VPN on a public IP. And if you read the IPSeC
protocol specification you might even understand why I told you this. The
VPN endpint can be either your Linux box using e.g. OpenSwan or the
Sonicwall. NAT'ting IPSeC requires NAT traversal and that is definitely
something to avoid especially when setting up a site to site tunnel.

If the Linux Box is the VPN endpoint simply something like

---8<---
# Sample for IPsec Connections
iptables -A INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -A OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
# we need to allow ESP
iptables -A INPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
# and AH r
iptables -A INPUT -p 51 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
---8<---

will do. There is no need to fiddle around with the forward chain when
using the right architecture with the VPN Gateway placed in the
appropriate position.

> Any additional suggestions would be much appreciated.

*Never* termintate an IPSeC (site to site) VPN on a private IP
(10.0.0.0/8, 172.16.0.0./12, 192.168.0.0/16) behind a NAT Gateway or
you'll run into serious problems, always terminate the VPN on a public,
routable IP-address.

Wolfgang
Received on Sat Dec 3 04:17:57 2005