[Shorewall-users] IPSEC VPN clients on local network
teastep at shorewall.net
Wed Sep 1 15:59:00 PDT 2004
On Wednesday 01 September 2004 14:55, Stefan Nilsen wrote:
> > | Is the above at all possible without any special hacking in the
> > | fw-1 firewall, or is the masquerading that is done on fw-1 making
> > | it impossible to establish VPN tunnels thru the fw-1 firewall?
> > |
> > | Any pointers in the right direction is wanted, also RTFM answers to
> > | what manual I should read :-)
> > You might take a look at http://shorewall.net/VPN.htm. The other
> > thing is that the ipsec client must not be using AH (Authentication
> > Headers -- Protocol 51); that protocol does not work through NAT
> > while ESP (Protocol 50) does.
> I have looked at that documentation page but it does not handle DHCP
> assigned addresses.
You could always configure your DHCP server to assign the Roadwarrior a fixed
> ESP is used, no AH, and I believe I have now found out what happens. The
> response from the remote VPN server is too large to fit in one packet,
> and is fragmented. fw-1 does not seem to forward that response back to
> the VPN client.
Is this the ESP packets or the ISAKMP packets?
> I have tried to set CLAMPMSS=Yes and to set the mtu size on inside and
> outside interfaces on fw-1 to 1300, without any success.
CLAMPMSS only affects TCP -- you are using UDP and ESP.
> Is there something else I might do?
Not that I can think of.
> I also have other VPN tunnels terminated on the fw-1, but can that be a
> problem for the masqueraded VPN connection...?
Not unless your tunnels have the same remote gateway.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20040901/301357a5/attachment.bin
More information about the Shorewall-users