IPSecurity Nortel Extranet Switch and Netfilters

Fri, 11 Jan 2002 13:52:53 -0500

This is a multi-part message in MIME format.

------=_NextPart_000_005D_01C19AA7.443E3CF0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

IPSecurity Nortel Extranet Switch and Netfiltersiptables -A FORWARD -p 50 -j
ACCEPT (to be wide open to all ipsec)

You may have to make some changes to your snat.  If you're snat'ing a bunch
of hosts behind one address, you will likely have problems.  You'll need to
basically make all protocol 50 (ESP) traffic get nat'd to the one IP of your
internal box with the VPN software on it.

-Joe
  -----Original Message-----
  From: netfilter-admin@lists.samba.org
[mailto:netfilter-admin@lists.samba.org]On Behalf Of
Michel.Chamberland@JTAX.com
  Sent: Friday, January 11, 2002 1:15 PM
  To: netfilter@lists.samba.org
  Subject: IPSecurity Nortel Extranet Switch and Netfilters

  Greetings everyone, I was wondering if anyone has got the nortel VPN
client extranet to work throught netfilter and if so what rules had to be
put in place.

  i do SNAT to get out of the network and allow all tcp traffic on the
interface, I also forward all 499-501 upd packet inside the network and no
success. The error i get on the windows machine running the client tells me
that my firewall is probably block IPSecurity Packets. Once i get that going
hopefully i can get freeswan to work but thats another story...

  Even if I only have 3 hours of experience with Netfilter I really do love
it. I finally can hit the servers behind our firewall using the external
(internet IP address) while still getting internet IP addresses in our log.

  Thanks to the netfilter team!

  Any help would be appriciated,
  Thanks

  Michel Chamberland
  Jackson Hewitt
  Programmer Analyst
  Electronic Filing

  ps: please email my address as I am not on the users list, thanks!

  The sender believes that this E-mail and any attachments were free of any
virus, worm, Trojan horse, and/or malicious code when sent.  This message
and its attachments could have been infected during transmission.  By
reading the message and opening any attachments, the recipient accepts full
responsibility for taking protective and remedial action about viruses and
other defects.  Jackson Hewitt is not liable for any loss or damage arising
in any way from this message or its attachments.

------=_NextPart_000_005D_01C19AA7.443E3CF0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>IPSecurity Nortel Extranet Switch and =
Netfilters</TITLE>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN=20
class=3D301124518-11012002>iptables -A FORWARD -p 50 -j ACCEPT (to be =
wide open to=20
all ipsec)</DIV>
<DIV><SPAN=20
class=3D301124518-11012002>&nbsp;</DIV>
<DIV>You=20
may have to make some changes to your snat.&nbsp; If you're =
snat'ing&nbsp;a=20
bunch of hosts behind one address, you will likely have problems.&nbsp; =
You'll=20
need to basically make all protocol 50 (ESP) traffic get nat'd to the =
one IP of=20
your internal box with the VPN software on it.</DIV>
<DIV><SPAN=20
class=3D301124518-11012002>&nbsp;</DIV>
<DIV><SPAN=20
class=3D301124518-11012002>-Joe</DIV>
<BLOCKQUOTE=20
style=3D"BORDER-LEFT: #0000ff 2px solid; MARGIN-LEFT: 5px; MARGIN-RIGHT: =
0px; PADDING-LEFT: 5px">
 <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr>-----Original Message----- From:=20
 netfilter-admin@lists.samba.org =
[mailto:netfilter-admin@lists.samba.org]On=20
 Behalf Of Michel.Chamberland@JTAX.com Sent: Friday, =
January 11,=20
 2002 1:15 PM To: =
netfilter@lists.samba.org Subject:=20
 IPSecurity Nortel Extranet Switch and Netfilters </DIV>
 Greetings everyone, I was wondering if anyone has =
got the=20
 nortel VPN client extranet to work throught netfilter and if so what =
rules had=20
 to be put in place.
 i do SNAT to get out of the network and allow all =
tcp traffic=20
 on the interface, I also forward all 499-501 upd packet inside the =
network and=20
 no success. The error i get on the windows machine running the client =
tells me=20
 that my firewall is probably block IPSecurity Packets. Once i get that =
going=20
 hopefully i can get freeswan to work but thats another =
story...
 Even if I only have 3 hours of experience with =
Netfilter I=20
 really do love it. I finally can hit the servers behind our firewall =
using the=20
 external (internet IP address) while still getting internet IP =
addresses in=20
 our log.
 Thanks to the netfilter team! 
 Any help would be appriciated, <FONT=20
 size=3D2>Thanks 
 Michel Chamberland Jackson =

  Hewitt</FONT> <BR><FONT size=3D2>Programmer Analyst</FONT> <BR><FONT=20
  size=3D2>Electronic Filing</FONT> </P>
  <P><FONT size=3D2>ps: please email my address as I am not on the users =
list,=20
  thanks!</FONT> <BR><FONT size=3D2>&nbsp;</FONT> <BR><FONT size=3D2>The =
sender=20
  believes that this E-mail and any attachments were free of any virus, =
worm,=20
  Trojan horse, and/or malicious code when sent.&nbsp; This message and =
its=20
  attachments could have been infected during transmission.&nbsp; By =
reading the=20
  message and opening any attachments, the recipient accepts full =
responsibility=20
  for taking protective and remedial action about viruses and other=20
  defects.&nbsp; Jackson Hewitt is not liable for any loss or damage =
arising in=20
  any way from this message or its=20
attachments.</FONT></P></BLOCKQUOTE></BODY></HTML>

------=_NextPart_000_005D_01C19AA7.443E3CF0--