› Forums › Network Management › Networking › ESP Forwarding
- This topic is empty.
-
AuthorPosts
-
November 26, 2011 at 1:43 pm #43203
hugoboss
Memberhi
im using a cisco eazyvpn server behind my zeroshell. i have to forward udp 500 and 4500, so thats no problem. but i have to forward esp 50 as well to the cisco. can anybody tell me how to to that?
reagrds
November 26, 2011 at 7:49 pm #52085redfive
Participantyou could try something like
iptables -t nat -I PREROUTING -i ETHxx -p 50 -s 0.0.0.0 -j DNAT --to 10.10.0.1I assumed that your ezvpn “wan” side ip address is 10.10.0.1 and ETHxx the ZS’s wan side ( may be is a pppx) . Not tryed , so…
cheers
jonatha
P.S.
Otherwise , you could even turn your ezvpn server from udp/ipsec to tcp/ipsec , enabling the cTCP (default port 10000 tcp)November 27, 2011 at 9:06 am #52086hugoboss
Memberthx for your reply,
the “wan” of ezvpn is 192.168.0.250, my zs has 2 public ip´s on eth0
cant use ctcp, because is not supported by apple ios 🙁try´d you example, but won´t work
root@zeroshell root> iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT esp -- anywhere anywhere to:192.168.0.250
DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:isakmp to:192.168.0.250:500
DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:ipsec-msft to:192.168.0.250:4500
any other idea´s?
November 27, 2011 at 9:50 am #52087redfive
Participant
iptables -t nat -I PREROUTING -i ETH00 -p 50 -s 0.0.0.0 -d 195.xxx.xxx.xxx -j DNAT --to 192.168.0.250In the forward chain , is permitted the esp ? when you attempt to connect the ezvpn server , what ZS logs say ??
November 27, 2011 at 10:56 am #52088hugoboss
MemberForward Chain
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 192.168.0.2 anywhere tcp dpt:smtp
DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:smtp
ACCEPT esp -- anywhere anywhere
changed the iptable to
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT esp -- anywhere 195.xxx.xxx.xxx to:192.168.0.250
DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:isakmp to:192.168.0.250:500
DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:ipsec-msft to:192.168.0.250:4500
conntrack
11:51:30 [NEW] udp 17 30 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 [UNREPLIED] src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500
11:52:08 [DESTROY] udp 17 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 packets=4 bytes=3068 src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500 packets=0 bytes=0November 27, 2011 at 7:47 pm #52089hugoboss
Memberproblem solved. the ezvpn works now perfect!
forgot to set the default gateway on my cisco 878 *lol*thx for your help!
-
AuthorPosts
- You must be logged in to reply to this topic.