firewall + ipsec?
Felipe Alfaro Solana
felipe_alfaro at linuxmail.org
Tue Sep 23 14:27:12 UTC 2003
On Tue, 2003-09-23 at 15:37, Paul Morgan wrote:
> > None seemed to do the job. Several could open ports, but only for tcp and
> > udp, whereas I need other protocols (50 and 51).
>
> Whatever protocol you're using will likely be based on either tcp or udp
> if it goes over an ip network. Ports 50 and 51 are just doorways for
> either tcp or udp or both that your protocol happens to use.
No, he is not talking about ports 50 or 51, he is talking about
protocols 50 and 51: IPSec ESP and IPSec AH, respectively.
Enabling the whole ESP and AH headers will allow IPSec traffic to pass
through the firewall. However, he will find another pitfall that I've
been unable to resolve and it's that once IPSec traffic passes by the
firewall, there is no way to perform additional filtering based on
TCP/UDP ports for example.
Thus, if you enable ESP/AH (protocols 50 and 51), you will in fact
enable *any* IPSec-protected traffic to pass through the firewall,
without being able to filter that IPSec traffic based on TCP/UDP ports,
for example.
More information about the test
mailing list