VPN Client behind firewall

In article , Vinod wrote: :I am trying to connect to the cisco VPN server from my network which :has linux firewall and windows 2000 systems.

:When i went through some document in the net they say that

:UDP port 500

Yes, always needed.

:UDP port 10000 (or any other port number being used for IPSec/UDP)

That's obsolete, ignore that one.

:IP protocol 50 (ESP)

That is used if NAT-T is not in effect, or if it is and the systems discover that NAT-T is not needed. Or to phrase it another way, traditionally you -always- needed IP protocol 50, but if you have NAT-T turned on and it figures you need NAT-T then it will use a UDP port instead.

:TCP port configured for IPSec/TCP

IPSec does not need any TCP ports in any Cisco implementation that I know of.

:NAT-T port 4500

NAT-T negotiations are on UDP port 4500. If NAT-T is turned on, the sequence is UDP 500, then UDP 4500, and then either ESP -or- a negotiated UDP port.

When NAT-T is on and is negotiated, the dynamic UDP port used is a -source- port, with the destination port always being UDP 4500 [and in this case ESP is not used.] This applies both ways: one end will send to UDP 4500 of the other, and the other will send to UDP 4500 of the first.

Sorry, I can't help with the iptables part.

Watching the logfile and reading the iptables docmentation should help.

;-)

Apart from that I'd recommend for that scenario to forget using the Cisco VPN client behind the Linux NAT box but to build a site to site VPN between the Cisco and the Linux box instead unsing OpenSwan on the Linux side.

Wolfgang