ESP Forwarding

Forums Network Management Networking ESP Forwarding

  • This topic is empty.
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • November 26, 2011 at 1:43 pm #43203
    hugoboss
    Member

    hi

    im using a cisco eazyvpn server behind my zeroshell. i have to forward udp 500 and 4500, so thats no problem. but i have to forward esp 50 as well to the cisco. can anybody tell me how to to that?

    reagrds

    November 26, 2011 at 7:49 pm #52085
    redfive
    Participant

    you could try something like 


    
iptables -t nat  -I PREROUTING -i ETHxx  -p 50  -s 0.0.0.0    -j DNAT --to 10.10.0.1

    I assumed that your ezvpn “wan” side ip address is 10.10.0.1 and ETHxx the ZS’s wan side ( may be is a pppx) . Not tryed , so…
    cheers
    jonatha
    P.S.
    Otherwise , you could even turn your ezvpn server from udp/ipsec to tcp/ipsec , enabling the cTCP (default port 10000 tcp)

    November 27, 2011 at 9:06 am #52086
    hugoboss
    Member

    thx for your reply,

    the “wan” of ezvpn is 192.168.0.250, my zs has 2 public ip´s on eth0
    cant use ctcp, because is not supported by apple ios 🙁

    try´d you example, but won´t work

    root@zeroshell root> iptables -t nat -L
    
Chain PREROUTING (policy ACCEPT)
    
target     prot opt source               destination
    
DNAT       esp  --  anywhere             anywhere            to:192.168.0.250
    
DNAT       udp  --  anywhere             195.xxx.xxx.xxx      udp dpt:isakmp to:192.168.0.250:500
    
DNAT       udp  --  anywhere             195.xxx.xxx.xxx      udp dpt:ipsec-msft to:192.168.0.250:4500

    any other idea´s?

    November 27, 2011 at 9:50 am #52087
    redfive
    Participant

    
iptables -t nat  -I PREROUTING -i ETH00  -p 50 -s 0.0.0.0 -d 195.xxx.xxx.xxx -j DNAT --to 192.168.0.250

    In the forward chain , is permitted the esp ? when you attempt to connect the ezvpn server , what ZS logs say ??

    November 27, 2011 at 10:56 am #52088
    hugoboss
    Member

    Forward Chain

    Chain FORWARD (policy ACCEPT)
    
target     prot opt source               destination
    
ACCEPT     tcp  --  192.168.0.2          anywhere            tcp dpt:smtp
    
DROP       tcp  --  192.168.0.0/24       anywhere            tcp dpt:smtp
    
ACCEPT     esp  --  anywhere             anywhere

    changed the iptable to

    Chain PREROUTING (policy ACCEPT)
    
target     prot opt source               destination
    
DNAT       esp  --  anywhere             195.xxx.xxx.xxx      to:192.168.0.250
    
DNAT       udp  --  anywhere             195.xxx.xxx.xxx      udp dpt:isakmp to:192.168.0.250:500
    
DNAT       udp  --  anywhere             195.xxx.xxx.xxx      udp dpt:ipsec-msft to:192.168.0.250:4500

    conntrack

    11:51:30 	 [NEW] udp 17 30 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 [UNREPLIED] src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500
    
11:52:08 	[DESTROY] udp 17 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 packets=4 bytes=3068 src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500 packets=0 bytes=0
    November 27, 2011 at 7:47 pm #52089
    hugoboss
    Member

    problem solved. the ezvpn works now perfect!
    forgot to set the default gateway on my cisco 878 *lol*

    thx for your help!

  • Author
    Posts
Viewing 6 posts - 1 through 6 (of 6 total)
  • You must be logged in to reply to this topic.