cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
459
Views
0
Helpful
2
Replies

Cisco 3000 VPN Concentrator and Linux vpnclient

conrake
Level 1
Level 1

In the Cisco VPN Client User Guide for Linux, Solaris, and Mac OS X it gives an example on page 2-3 which uses ipchains and recommends removing two lines from your /etc/sysconfig/ipchains config file. This is bad advice. Do not remove the lines which filter udp/0:1023 and udp/2049 as this would make the linux box less secure.

The Cisco 3000 VPN Concentrator vpnclient for Linux requires communication using IKE, ESP, and AH, and can also use UDP on a user definable port when necessary.

To allow IKE, open udp/500

for ESP open protocol 50

and for AH open protocol 51

In the newer linux distributions which use the 2.4 kernel the default firewall is iptables.

On a default RH8 system using the default Medium or High firewall settings during install or later running the lokkit program, all I needed to do to allow the Cisco vpnclient to work was to open udp on port 500. Evidently ESP and AH protocols are not blocked.

The following line must be added in /etc/sysconfig/iptables above the line which rejects udp on low ports 0-1023 and 2049 (NFS):

-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 500 -d 0/0 --dport 500 -i eth0 -j ACCEPT

The filter can be made even more secure by specifying the Cisco 3000 public address in the -s (source) parameter.

2 Replies 2

k.poplitz
Level 3
Level 3

I think making these changes becomes necessary so that UDP traffic is allowed through. I'm not sure the client will work properly with these statements in place. Did you notice any problems with these statements still in place?

No I didn't notice any problems. The only port I had to open was 500 though I think I only tested access to our intranet and doing some pings. Taking out the two lines as they suggest would also open port 500 and make things work, but it also opens all the other ports which were filtered in the first place for security. Once the connection is established, communication through the concentrator should be using protocols 50 and 51 so as far as I know there is no reason to open the udp well known ports to the outside world. And if you are using a split horizon then it seems like an especially bad idea. But if I run into any problems I will come back and add to this thread.

One thing I should have added to the original post was to remember to reinitialize the filter rules by typing 'service iptables restart' as root.