Menu
▾
▴
[Leaf-devel] kernel 2.4.xl modules for IPsec pass-through when using NAT and netfilter/iptables
|
From: Eric B K. <er...@ki...> - 2002-04-30 20:04:02
|
All, This is a follow up message for the post originally titled - ip_masq_ipsec.o for Bering. After communicating with three different sources on the Netfilter mailing list here are the results. There are /no/ additional modules required. Below is a brief of the messages exchanged... [my post] > Howdy All, > > I am using Linux with kernel 2.4.18 as a firewall that is doing NAT. I need > to be able to make an IPSec connection _through_ this firewall to an IPSec > server on the internet. > > I am told that I need to have the modules ip_conntrack_ipsec.o and > ip_nat_ipsec.o for my Linux 2.4.18 Firewall to be able to NAT this > connection. It was also mentioned that a Mr. Harald Welte may have posted > these on the netfilter site. > > I have gone through the FAQ, browsed the HOWTO, and done some cursory > searching of the mail archive with no helpful results. Any guidance on this > would be greatly appreciated. > > Regards, > Eric [reply] Who has told you about this? The modules don't exist, at least not provided by the netfilter/iptables project. I also haven't heared that some 3rd party is providing those modules -- Live long and prosper - Harald Welte / la...@gn... [my post] > Are there any required modifications, other than just /not/ restricting the > required ports, to be able to pass IPsec traffic when using your Linux > system as a router and performing NAT. [response from Julian Gomez] Nope. Let IKE + ESP/AH traffic through. That's it. [interesting test results from Pavlos] I did some testes last week and i found out that one VPN client behind the gateway can connect with the vpn server but two not! My vpn client use IPSEC with udp protocol nad 500 port ,and protocol 50. From ip_conntrack i saw that when 2 clients tried to connect to the VPN server only the one hava established connection for protocol 50,the second only had traffic for udp protocol udp and port 500. PAvlos Thanks to everybody for spurring me into this. /Eric |