Originally Posted by Nigel_Tufnel
# Firewall configuration written by Cisco Systems
# Designed for the Linux VPN Client 4.8.00.0490 Virtual Adapter
# Blocks ALL traffic on eth0 except for tunneled traffic
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all traffic in both directions through the VA adapter
-A INPUT -i cipsec0 -j ACCEPT
-A OUTPUT -o cipsec0 -j ACCEPT
# Accept all encrypted VPN Client traffic in either direction on eth0
-A INPUT -i eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 500 -d 0/0 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 4500 -d 0/0 --dport 4500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -s 0/0 --sport 1024: -d 0/0 --dport 29747 -j ACCEPT
# Block all other traffic in either direction on eth0
-A INPUT -i eth0 -j REJECT
-A OUTPUT -o eth0 -j REJECT
It's not clear where this should go. Anyone have some tips?
I'll follow up with unix guys at work to see if they're running iptables or something comparable. Anyone else run into this?
Thanks in advance.
This is a firewall ruleset that can be used in iptables which blocks all traffic on an interface (in this case eth0), except IPsec and the VPN concentrator ports.
You don't need to do anything with the firewall to connect to the VPN concentrator in Linux, you just need the right drivers compiled into the kernel and this program called vpnc
Download, compile & install the vpn client. After the install a directory should have been created /etc/vpnc
Browse this directory, and look for a file, default.conf
. If it doesn't exist, create it with the following lines:
IPSec gateway <ip addr> ; Hostname
IPSec ID <username> ; IPsec Group Auth Name
IPSec secret <password> ; IPsec Group Auth Password
Xauth username <username> ; IPsec User Auth Name
Xauth password <password> ; IPsec User Auth Password
The Xauth username
and password is the one you are presented with when you double click the Connection Entry with the Win/Mac client.
You may not have the IPsec secret
password for the VPN, but this doesn't matter as you can use a program to instantly decrypt the hash stored in Windows.
Browse your VPN Client directory in Windows, i.e - C:\Program Files\Cisco Systems\VPN Client\Profiles
Use WinSCP or another means to send the .pcf files to your Linux system, and put them in the /etc/vpnc/
directory. Edit the file and look for the line which begins "enc_GroupPwd" followed by the hash. This hash is what you will need to get the IPsec secret needed for the .conf file you created.
Run the hash through a decrypter (you should be able to find one on google), if not then you could e-mail me just the hash. It will present you with a password you can use as the IPsec secret
Finish the default.conf file and at your shell type vpnc
. This will parse the /etc/vpnc directory
, find the default.conf
and automatically try to create the VPN with the credentials in the default.conf
If all works it should create the VPN and the PID should be running in the background. If you then type ip route
and check the routes, or ifconfig
If there are problems with creating the VPN, you may have to recompile your kernel. Hope that helps.