Multiple VPN clients

Multiple VPN clients

[Jimmy]

Hello,

I have a situation that I have been strugling with for a few days now. 
I don't want to write a 10 page e-mail, so I will try to summerize the
important points and hope someone can clarify this for me.  :)

In a nutshell:  I need to allow multiple IPSec VPN clients from behind
my iptables firewall to connect to a single VPN server on the Internet.
Firewall:  Redhat 7.3 kernel 2.4.18-18.7.x and iptables v1.2.5. 
Clients: win98/2000 with the Nortel Connectivity VPN client V04_15.06

#1 is this possible?  (According to the docs IP masq and VPN masq, I
think it is, unless I am misreading something somewhere)

From what I understand, all I need is to have the firewall setup to 
masquerade and allow ESP, AH and UDP port 500 trafic.  (I included the
relavant rules at the end of this e-mail)  This all works great with
_one_ connection.  As soon as a second ipsec client is launched, it does
not work.

I keep reading I have to patch the kernel for this, but I cannot find an
IPSec patch for the 2.4 kernel anywhere.  (Is this what I am missing?)

The docs I have run through are:
Linux VPN Masquerade:
http://www.impsec.org/linux/masquerade/ip_masq_vpn.html

IP Masquerade HOWTO from
http://ipmasq.webhop.net

Linux VPN Masquerade HOWTO:
http://www.impsec.org/linux/masquerade/VPN-howto/VPN-Masquerade.html

And I have googled to my wits end... :)
I don't know if there is a small point escaping me, or if this is a big
deal and I just plain blind.

If someone has an idea what I might be missing here, I would really
appreciate any input.

Here are the iptables rules I think relavant.  (I setup a bunch of
logging options, and I know these rules are working because of the first
connection.  Yes my real rules are more secure, this is just the parts I
think relavent to my situation, then again I may be wrong)

#! /bin/bash
FILTER=/sbin/iptables

echo "1" > /proc/sys/net/ipv4/ip_forward

$FILTER -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE

$FILTER -A FORWARD -p esp -j ACCEPT
$FILTER -A FORWARD -p ah -j ACCEPT
$FILTER -A FORWARD -p udp --dport 500 -j ACCEPT

I hope someone can enlighten me.  :)

Thank you,
Jimmy


-- 
Jimmy <jimmy@v2k.ca>

Re: Multiple VPN clients

[Michiel Brandenburg]

> I keep reading I have to patch the kernel for this, but I cannot find an
> IPSec patch for the 2.4 kernel anywhere.  (Is this what I am missing?)
Currently running (and firewalling) Linux 2.4.20 with FreeSWAN patch
(ipsec) which u can get at www.freeswan.org

-- 
Best regards,
 Michiel

RE: Multiple VPN clients

[Storm D. J. Petersen]

Hi!

I'm also having trouble with this.  If someone sends you some hints via
direct email, can you post it public?

Thanks,

S.

-----Original Message-----
Subject: Multiple VPN clients
From: Jimmy <jimmy@v2k.ca>
To: netfilter@lists.netfilter.org
Organization:
Date: 03 Feb 2003 14:26:11 -0500