PDA

View Full Version : Cannot enable IPSec in Yast firewall configuration



apeetz
19-Jul-2012, 09:17
Hi all,

I have installed a SLES 11 SP2 server and configured the firewall on it to forward and masquerade traffic from an internal network to the Internet.
Generally this works fine, I can access the Internet (browsing etc) from a Windows machine that is on the internal network.

However, I can NOT connect to the outside via VPN from this machine. I'm using the Shrewsoft VPN client to connect to a Cisco VPN concentrator. This works fine when the machine is directly connected to the Internet, but it times out if the machine is behind the SLES masquerading firewall.

To make this work I probably need to enable IPsec in the firewall properties (right?). There is a dialog available to do this, but the checkbox to enable IPsec is greyed out. So, I cannot enable it. I googled around to find out how to fix this, and found a lot of instructions on how to configure the SLES firewall with Yast, but nowhere I found an explanation why this option would be disabled.

Can anyone help me?

- Andreas

jmozdzen
19-Jul-2012, 13:14
Hi Andreas,

my first guess was that probably some iptables helper modules are missing. But then I spotted the following in the SuSEfirewall documentation:


IPsec Support
Configure whether the IPsec service should be available to the external network in this dialog. Configure which packets are trusted under Details.


Sounds to me like they only support IPsec to/from the gateway machine, which would required StrongSwan installed. I guess there's simply no IPsec software installed on the gateway.

As you want to FORWARD IPsec through the gateway, you'll have to add that service (or manual definitions for the ports/protocols involved) to the ruleset. And keep in mind that NAT changes packet headers, so IPsec's verification of those (AH) needs to be turned off.

Regards,
Jens