ESP Forwarding

Home Page Forums Network Management Networking ESP Forwarding

This topic contains 4 replies, has 0 voices, and was last updated by  hugoboss 7 years, 5 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #43203

    hugoboss
    Member

    hi

    im using a cisco eazyvpn server behind my zeroshell. i have to forward udp 500 and 4500, so thats no problem. but i have to forward esp 50 as well to the cisco. can anybody tell me how to to that?

    reagrds

    #52085

    redfive
    Participant

    you could try something like


    iptables -t nat -I PREROUTING -i ETHxx -p 50 -s 0.0.0.0 -j DNAT --to 10.10.0.1

    I assumed that your ezvpn “wan” side ip address is 10.10.0.1 and ETHxx the ZS’s wan side ( may be is a pppx) . Not tryed , so…
    cheers
    jonatha
    P.S.
    Otherwise , you could even turn your ezvpn server from udp/ipsec to tcp/ipsec , enabling the cTCP (default port 10000 tcp)

    #52086

    hugoboss
    Member

    thx for your reply,

    the “wan” of ezvpn is 192.168.0.250, my zs has 2 public ip´s on eth0
    cant use ctcp, because is not supported by apple ios 🙁

    try´d you example, but won´t work

    root@zeroshell root> iptables -t nat -L
    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT esp -- anywhere anywhere to:192.168.0.250
    DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:isakmp to:192.168.0.250:500
    DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:ipsec-msft to:192.168.0.250:4500


    any other idea´s?

    #52087

    redfive
    Participant

    iptables -t nat -I PREROUTING -i ETH00 -p 50 -s 0.0.0.0 -d 195.xxx.xxx.xxx -j DNAT --to 192.168.0.250

    In the forward chain , is permitted the esp ? when you attempt to connect the ezvpn server , what ZS logs say ??

    #52088

    hugoboss
    Member

    Forward Chain

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    ACCEPT tcp -- 192.168.0.2 anywhere tcp dpt:smtp
    DROP tcp -- 192.168.0.0/24 anywhere tcp dpt:smtp
    ACCEPT esp -- anywhere anywhere

    changed the iptable to

    Chain PREROUTING (policy ACCEPT)
    target prot opt source destination
    DNAT esp -- anywhere 195.xxx.xxx.xxx to:192.168.0.250
    DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:isakmp to:192.168.0.250:500
    DNAT udp -- anywhere 195.xxx.xxx.xxx udp dpt:ipsec-msft to:192.168.0.250:4500

    conntrack

    11:51:30 	 [NEW] udp 17 30 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 [UNREPLIED] src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500
    11:52:08 [DESTROY] udp 17 src=93.xxx.xxx.xxx dst=195.xxx.xxx.xxx sport=500 dport=500 packets=4 bytes=3068 src=192.168.0.250 dst=93.xxx.xxx.xxx sport=500 dport=500 packets=0 bytes=0
    #52089

    hugoboss
    Member

    problem solved. the ezvpn works now perfect!
    forgot to set the default gateway on my cisco 878 *lol*

    thx for your help!

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.