[Shorewall-users] IPSEC VPN clients on local network

Tom Eastep teastep at shorewall.net
Wed Sep 1 15:59:00 PDT 2004

On Wednesday 01 September 2004 14:55, Stefan Nilsen wrote:
> > | Is the above at all possible without any special hacking in the
> > | fw-1 firewall, or is the masquerading that is done on fw-1 making
> > | it impossible to establish VPN tunnels thru the fw-1 firewall?
> > |
> > | Any pointers in the right direction is wanted, also RTFM answers to
> > | what manual I should read :-)
> >
> > You might take a look at http://shorewall.net/VPN.htm. The other
> > thing is that the ipsec client must not be using AH (Authentication
> > Headers -- Protocol 51); that protocol does not work through NAT
> > while ESP (Protocol 50) does.
> I have looked at that documentation page but it does not handle DHCP
> assigned addresses.

You could always configure your DHCP server to assign the Roadwarrior a fixed 

> ESP is used, no AH, and I believe I have now found out what happens. The
> response from the remote VPN server is too large to fit in one packet,
> and is fragmented. fw-1 does not seem to forward that response back to
> the VPN client.

Is this the ESP packets or the ISAKMP packets?

> I have tried to set CLAMPMSS=Yes and to set the mtu size on inside and
> outside interfaces on fw-1 to 1300, without any success.

CLAMPMSS only affects TCP -- you are using UDP and ESP.

> Is there something else I might do?

Not that I can think of.

> I also have other VPN tunnels terminated on the fw-1, but can that be a
> problem for the masqueraded VPN connection...?

Not unless your tunnels have the same remote gateway.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: signature
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20040901/301357a5/attachment.bin

More information about the Shorewall-users mailing list