[fwd] "IPsec-pass-through" with iptables? (from: ASkwar@email-server.info)

[Alexander Skwar <lists.ASkwar@email-server.info>]

Hello! 

I'm trying to connect with a Windows PC running a AT&T client software 
to my companies VPN gateway and fail to do so.  The Windows PC is 
connected to my home LAN with a Linux gateway doing IP masquerading. 
The setup is like this: 


        -------        -------        ========    ------- 
        - Win - -Lan-> - Lin - -DSL-> = Inet = -> - VPN - 
        -------    /   -------        ========    ------- 
                  / 
        -------  / 
        - PC2 - - 
        ------- 

As you can see, the "Lin" Linux gateway is connected to the Internet 
through a "dial-up" DSL connection.  My DSL provider doesn't provide 
static IPs, so it is using dynamic IPs ;) 

For my internal LAN, I'm using IP masquerading, so that I'm able 
to connect to the Internet with more than 1 PC. 

The supporters here at my company tell me, that I'm unable to connect 
to the companies VPN servers, because my Linux router doesn't do/support 
"IPsec-pass through".  Well, that might be the case, I don't know. 

How do I have to setup my Linux 2.4.20 router using iptables v1.2.6a 
so that it does "IPsec pass through"? 

Here's the output of iptables-save: 

# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*filter
:INPUT ACCEPT [154463:26208407]
:FORWARD ACCEPT [10780:550322]
:OUTPUT ACCEPT [170787:53607884]
-A INPUT -i eth0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT 
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT 
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT 
-A FORWARD -s 10.20.30.0/255.255.255.0 -j ACCEPT 
COMMIT
# Completed on Tue Nov 26 17:08:56 2002
# Generated by iptables-save v1.2.6a on Tue Nov 26 17:08:56 2002
*nat
:PREROUTING ACCEPT [18806:973058]
:POSTROUTING ACCEPT [8453:605815]
:OUTPUT ACCEPT [5835:635949]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8081 
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 1214 -j DNAT --to-destination 10.20.30.22:1214 
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 4662 -j DNAT --to-destination 10.20.30.22:4662 
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6346 -j DNAT --to-destination 10.20.30.22:6346 
-A PREROUTING -i ppp0 -p tcp -m tcp --dport 6699 -j DNAT --to-destination 10.20.30.22:6699 
-A PREROUTING -i ppp0 -p udp -m udp --dport 1214 -j DNAT --to-destination 10.20.30.22:1214 
-A PREROUTING -i ppp0 -p udp -m udp --dport 6257 -j DNAT --to-destination 10.20.30.22:6257 
-A PREROUTING -i ppp0 -p udp -m udp --dport 6346 -j DNAT --to-destination 10.20.30.22:6346 
-A POSTROUTING -s 10.20.30.0/255.255.255.0 -j MASQUERADE 
COMMIT
# Completed on Tue Nov 26 17:08:56 2002

Thanks a lot! 

Alexander Skwar
-- 
How to quote:	http://learn.to/quote (german) http://quote.6x.to (english)
Homepage:	http://www.iso-top.biz     |    Jabber: askwar@a-message.de
   iso-top.biz - Die günstige Art an Linux Distributionen zu kommen
                       Uptime: 8 hours 39 minutes