[Gllug] iptables & cisco vpn

Alain Williams addw at phcomp.co.uk
Tue Jun 29 13:27:23 UTC 2010

  Internet --> Linux box --> Internal network

Internet side
  IP address (I'm lying)

Internal side
  IP address

What is wanted is that visitor has a laptop that he wants to connect to his home, the laptop is
effectively an internal PC (IP At home he has a cisco router that implements
(I think) an IPsec VPN. I want to allow this through the linux box.

The linux box is running CentOS 5.5.

I can see the PC making connections home on port isakmp (500).

I don't know anything about an IPsec VPN. What should I be adding ?

I have modified/added to the firewall setup:

iptables -A INPUT -p udp --dport isakmp         -j ACCEPT    # Needed for Cisco VPN
iptables -A INPUT -p udp --sport isakmp		-j ACCEPT    # Needed for Cisco VPN
iptables -A INPUT -p udp --dport ipsec-nat-t    -j ACCEPT # Needed for Cisco VPN

# allow ipsec traffic:
iptables -A INPUT -p esp                              -j ACCEPT # allow IPSEC

# SNAT stuff that we forward going out, but not stuff which may be
# for a cisco VPN (we should not have the addresses anyway):
iptables -t nat -A POSTROUTING -d      -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source

Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256  http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php
Past chairman of UKUUG: http://www.ukuug.org/
#include <std_disclaimer.h>
Gllug mailing list  -  Gllug at gllug.org.uk

More information about the GLLUG mailing list