| |
VPN for Linux
Please see our main VPN page for general information regarding the program and its uses.
Linux is not fully supported by CUMC IT or Columbia; these instructions are provided as a courtesy.
NOTE: These installations are for West Campus only. To use them, your primary affiliation must be with the Columbia University Medical Center. If your primary affiliation is with New York-Presbyterian Hospital, please go to http://infonet.nyp.org/technology/ or call extension 4-Help for assistance.
Installing VPN on Linux
These instructions were tested on a RedHat 8.0 system (laptop) with a custom Kernel, however it should work on any Linux distribution.
Here is a summary of the steps and minimum requirements:
- Obtain the client software
- Unpack the tarball
- Configure the software
- Personalize the installation
- Test the software
- Customize the installation
You will need the following before beginning:
- A working network connection. This means you should be able to connect to sites on the Internet. For example:
[root@dhcppc5 root]# ping www.yahoo.com
PING www.yahoo.akadns.net (216.109.125.70) from 192.168.0.6 : 56(84) bytes of data.
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=1 ttl=45 time=30.7 ms
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=2 ttl=45 time=32.0 ms
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=3 ttl=45 time=31.2 ms
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=4 ttl=45 time=30.5 ms
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=5 ttl=45 time=31.0 ms
--- www.yahoo.akadns.net ping statistics ---
5 packets transmitted, 5 received, 0% loss, time 4012ms
rtt min/avg/max/mdev = 30.508/31.126/32.024/0.571 ms
[root@dhcppc5 root]#
- Linux operating system. Kernel should be at least 2.2.x. To find out what your current system is running, do the following:
[root@dhcppc5 root]# uname -a
Linux dhcppc5 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686 i686 i386 GNU/Linux
[root@dhcppc5 root]#
The first column displays the system type, the next column is the current hostname followed by the kernel version.
- A working GNU "tar" or "tar" and GNU "gzip".
[root@dhcppc5 vpnclient]# tar --version
tar (GNU tar) 1.13.25 This version is ok.
- Click here for the required group authentication name and password for configuring VPN. You must login in using your UNI account to view these settings.
- A working web browser such as Mozilla, Netscape, Galeon, Konqueror or the commandline Lynx browser. Alternatively, you can use "wget" if it is available on your system. This installation will use "wget" as it is the easiest methods; it also shows how to get the software via a standard web browser. To find out if you have "wget":
[root@dhcppc5 vpnclient]# wget --version
GNU Wget 1.8.2
If you do not get this or a similar response, please follow the instructions on how to get the software using a standard browser.
Steps to Install VPN
- Obtain the software
At your terminal prompt type the following (Note: Don't use word wrap; the command is all one line):
[root@dhcppc5 root]# wget http://library.cpmc.columbia.edu/ic/cubhis_apps/vpnclient-linux-3.7.3.A-k9.tar.gz
You should then see the following output:
--13:15:32-- http://library.cpmc.columbia.edu/ic/cubhis_apps/vpnclient-linux-3.7.3.A-k9.tar.gz
=> `vpnclient-linux-3.7.3.A-k9.tar.gz'
Resolving library.cpmc.columbia.edu... done.
Connecting to library.cpmc.columbia.edu[156.111.235.97]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1,192,910 [application/x-tar]
100%[==========================\
==============================>] 1,192,910 80.35K/s ETA 00:00
13:15:48 (80.35 KB/s) - `vpnclient-linux-3.7.3.A-k9.tar.gz' saved [1192910/1192910]
[root@dhcppc5 root]#
To verify the downloaded file:
[root@dhcppc5 root]# ls -la vpnclient-linux-3.7.3.A-k9.tar.gz
-rw-r--r-- 1 root root 1192910 Feb 10 14:52 vpnclient-linux-3.7.3.A-k9.tar.gz
[root@dhcppc5 root]#
- Unpack the tarball
To unpack the compressed tarball, type the following at the prompt:
[root@dhcppc5 root]# tar zxvf vpnclient-linux-3.7.3.A-k9.tar.gz
This will produce the following output:
vpnclient/
vpnclient/cisco_cert_mgr
vpnclient/vpnclient
vpnclient/cvpnd
vpnclient/ipseclog
vpnclient/vpn_install
vpnclient/vpnclient_init
vpnclient/driver_build.sh
vpnclient/vpn_uninstall
vpnclient/sample.pcf
vpnclient/vpnclient.ini.in
vpnclient/license.txt
vpnclient/interceptor.c
vpnclient/linuxcniapi.c
vpnclient/linuxcniapi.h
vpnclient/vpn_ioctl_linux.h
vpnclient/IPSecDrvOS_linux.c
vpnclient/linux_os.h
vpnclient/frag.h
vpnclient/frag.c
vpnclient/GenDefs.h
vpnclient/mtu.h
vpnclient/IPSecDrvOSFunctions.h
vpnclient/IPSecDrvOS_linux.h
vpnclient/Cniapi.h
vpnclient/config.h
vpnclient/libdriver.so
[root@dhcppc5 root]#
If you do not get this output and instead see errors, you probably do not have GNU "tar" installed or it is an older version which does not support GZIP compressed tarballs. You can use "gzip -d file.tar.gz" to uncompress the tarball and then "tar -xvf file.tar" to untar the tarball.
- Configure the software
Change your directory to the newly created VPNCLIENT directory:
[root@dhcppc5 root]# cd vpnclient
[root@dhcppc5 vpnclient]#
Type "ls" to see the files within:
[root@dhcppc5 vpnclient]# ls
| cisco_cert_mgr |
frag.h |
ipseclog mtu.h vpn_ioctl_linux.h |
| Cniapi.h |
GenDefs.h |
libdriver.so sample.pcf vpn_uninstall |
| config.h |
interceptor.c license.txt |
vpnclient |
| cvpnd |
IPSecDrvOSFunctions.h |
linuxcniapi.c vpnclient.ini.in |
| driver_build.sh |
IPSecDrvOS_linux.c |
linuxcniapi.h vpnclient_init |
| frag.c |
IPSecDrvOS_linux.h |
linux_os.h vpn_install |
You are then ready to run the VPN Client Install utility. At the prompt, type the following:
[root@dhcppc5 vpnclient]# ./vpn_install
This will begin the Cisco VPN Client install utility which is menu driven. Explanation and instructions for each prompt follow:
Cisco Systems VPN Client Version 3.7.3 (Rel) Linux Installer
Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
By installing this product you agree that you have read the license.txt file (The VPN Client license) and will comply with its terms.
Directory where binaries will be installed [/usr/local/bin]
Select the default by hitting ENTER.
Automatically start the VPN service at boot time [yes]
Hit ENTER to select yes, though you can also start it manually if you prefer. Then:
In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running:
For RedHat 6.x users these files are installed in /usr/src/linux by default
For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default
For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default
The directory containing linux kernel source code [/lib/modules/2.4.18-14custom/build]
The installer can typically figure out what the running kernel is and where the source files are. If it is correct for your installation, select ENTER.
You will then see a summary of selected options and should verify that the settings are correct. If so, hit ENTER.
* Binaries will be installed in "/usr/local/bin".
* Modules will be installed in "/lib/modules/2.4.18-14custom/CiscoVPN".
* The VPN service will be started AUTOMATICALLY at boot time.
* Kernel source from "/lib/modules/2.4.18-14custom/build" will be used to build the module.
Is the above correct [y]
Shutting down /usr/local/bin/vpnclient: Done
Stopped: /etc/init.d/vpnclient_init (VPN init script
Making module
Copying module to directory "/lib/modules/2.4.18-14custom/CiscoVPN".
Creating start/stop script "/etc/init.d/vpnclient_init".
Enabling start/stop script for run level 3,4 and 5.
Updating VPN configuration file "/etc/CiscoSystemsVPNClient/vpnclient.ini".
Installing license.txt (VPN Client license) in "/etc/CiscoSystemsVPNClient/":
Installing bundled user profiles in "/etc/CiscoSystemsVPNClient/Profiles/":
Copying binaries to directory "/usr/local/bin".
Setting permissions.
/usr/local/bin/cvpnd (setuid root)
/etc/CiscoSystemsVPNClient (world writeable)
/etc/CiscoSystemsVPNClient/Profiles (world writeable)
/etc/CiscoSystemsVPNClient/Certificates (world writeable)
* You may wish to change these permissions to restrict access to root.
* You must run "/etc/init.d/vpnclient_init start" before using the client.
* This script will be run AUTOMATICALLY every time you reboot your computer.
[root@dhcppc5 vpnclient]#
To configure the client with a profile for connecting to the VPN concentrator and making a secure IPSec connection:
First, copy the sample profile to the one that will be used:
[root@dhcppc5 vpnclient]# cd /etc/CiscoSystemsVPNClient/Profiles/
[root@dhcppc5 Profiles]# cp sample.pcf cpmc.pcf
[root@dhcppc5 Profiles]#
- Personalize the installation
Edit the newly created profile using "vi" editor or your preferred text editor.
This is what the file should look like when you first open it:
[root@dhcppc5 Profiles]# vi cpmc.pcf
[main]
Description=sample user profile
Host=10.212.20.52
AuthType=1
GroupName=monkeys
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=chimchim
SaveUserPassword=0
EnableBackup=0
BackupServer=
EnableNat=0
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
DHGroup=2
ForceKeepAlives=0
In the [Main] section of the file, change the following lines:
Description=CPMC VPN Concentrator
Host=156.111.224.55
GroupName=nyp.org
Username=
The username will be your Columbia UNI; type this into the file at the appropriate field.
Save the file. Once the file is saved, make sure the file name is correct and the permissions are properly set:
[root@dhcppc5 Profiles]# ls -la
total 16
drwxrwxrwx 2 root root 4096 Apr 6 13:56 .
drwxrwxrwx 4 root root 4096 Apr 6 13:29 ..
-rw-r--r-- 1 root root 691 Apr 6 13:35 cpmc.pcf
-rw-rw-rw- 1 root root 349 Apr 6 13:29 sample.pcf
[root@dhcppc5 Profiles]#
- Test the VPN client
To make a VPN (IPSec) connection to the CUMC network and test functionality, the VPN software is configured with a profile that will let traffic destined for the Institution go via the IPSec tunnel, and all other traffic (such visiting web sites such as Google or Yahoo) to continue unencrypted directly via your ISP.
First, start the VPN service:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init start
Starting /usr/local/bin/vpnclient:
Module cisco_ipsec loaded
Done
[root@dhcppc5 root]#
Then, verify that it is running:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init status
Module Size Used by Tainted: P
cisco_ipsec 399360 0 (unused)
cipsec0 Link encap:Ethernet HWaddr 00:00:00:00:00:00
BROADCAST MULTICAST MTU:1400 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@dhcppc5 root]#
You now have a new, working VPN network interface. The first time you connect to the VPN concentrator, you will be asked for the Group Password.
[root@dhcppc5 root]# vpnclient connect cpmc
Cisco Systems VPN Client Version 3.7.3 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Enter a group password:
Enter the group password then hit ENTER.
Initializing the IPSec link.
Contacting the gateway at 156.111.224.55
User Authentication for cpmc...
Enter Username and Password.
Username [ ]:
Hit ENTER to accept the default username, or if it is not correct then type in the correct login and hit ENTER. You will be prompted for a password:
Password []:
Type in your UNI's password. You will not receive on screen feedback as you type, so please be careful. The following output will appear:
Authenticating user.
Negotiating security policies.
Securing communication channel.
AUTHORIZED USERS ONLY.
PLEASE LOG OFF IF YOU HAVE NOT BEEN PERMITTED TO ACCESS THE RESOURCES OF THIS NETWORK
Do you wish to continue? (y/n): y
You have successfully connected to the concentrator. \
Type "y" and hit ENTER to accept and continue. \
You will then receive information about your connection:
Your link is secure.
IPSec tunnel information.
Client address: 156.111.245.1
Server address: 156.111.224.55
Encryption: 168-bit 3-DES
Authentication: HMAC-SHA
IP Compression: LZS
NAT passthrough is inactive
Local LAN Access is disabled
This will remain on screen for the duration of the connection. At this point you can suspend the client to the background with CTRL-Z; then type "bg" and hit ENTER to send the application to the background. You can then see the status of the connection with the following command:
[root@dhcppc5 root]# vpnclient stat
Cisco Systems VPN Client Version 3.7.3 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
IPSec tunnel information.
Connection Entry: cpmc
Client address: 156.111.245.1
Server address: 156.111.224.55
Encryption: 168-bit 3-DES
Authentication: HMAC-SHA
IP Compression: LZS
NAT passthrough is inactive
Local LAN Access is disabled
VPN traffic summary.
Time connected: 0 day(s), 00:02.52
Bytes in: 0
Bytes out: 0
Packets encrypted: 0
Packets decrypted: 0
Packets bypassed: 27
Packets discarded: 0
Configured routes.
Secured Network Destination Netmask Bytes
* 156.111.224.55 255.255.255.255 0
156.111.0.0 255.255.0.0 0
156.145.0.0 255.255.0.0 0
140.251.0.0 255.255.0.0 0
143.104.0.0 255.255.0.0 0
10.0.0.0 255.0.0.0 0
128.59.0.0 255.255.0.0 0
129.236.0.0 255.255.0.0 0
160.39.0.0 255.255.0.0 0
[root@dhcppc5 root]#
To disconnect:
[root@dhcppc5 root]# vpnclient disconnect
Cisco Systems VPN Client Version 3.7.3 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Disconnecting the IPSEC link.
Your IPSec link has been disconnected.
[root@dhcppc5 root]# Your IPSec link has been disconnected.
[1]+ Exit 17 vpnclient connect cpmc
[root@dhcppc5 root]#
To verify if traffic is flowing through the tunnel, run simple test with a BEFORE and AFTER traceroute to a well known host inside the institution - the PRIMARY DNS server:
[root@dhcppc5 root]# traceroute dns1.cpmc.columbia.edu
traceroute to dns1.cpmc.columbia.edu (156.111.60.150), 30 hops max, 38 byte packets
1 192.168.0.1 (192.168.0.1) 3.334 ms 3.291 ms 3.213 ms
2 10.32.51.1 (10.32.51.1) 19.808 ms 21.554 ms 21.144 ms
3 G3-0.EDGE-RTR1.NY325.verizon-gni.net (130.81.64.66) 18.225 ms 20.235 ms 18.576 ms
4 ge-1-2-0-0.CORE-RTR1.NY325.verizon-gni.net (130.81.4.41) 19.216ms 18.287ms 18.027 ms
5 so-0-0-0-0.BB-RTR2.NY325.verizon-gni.net (130.81.8.45) 18.764 ms 17.661 ms 6.484 ms
6 so-0-3-0-0.BB-RTR2.NY60.verizon-gni.net (130.81.8.54) 18.329 ms 19.767 ms 19.714 ms
7 130.81.4.22 (130.81.4.22) 18.593 ms 20.222 ms 20.534 ms
8 p7-1.nycmny1-cr9.bbnplanet.net (4.24.188.89) 21.114 ms 20.706 ms 21.444 ms
9 p1-0.nycmny1-nbr1.bbnplanet.net (4.24.8.161) 21.954 ms 20.718 ms 18.725 ms
10 p15-0.nycmny1-nbr2.bbnplanet.net (4.24.10.210) 21.289 ms 18.803 ms 17.888 ms
11 p9-0.phlapa1-br1.bbnplanet.net (4.24.10.177) 20.469 ms 21.697 ms 20.835 ms
12 p15-0.phlapa1-br2.bbnplanet.net (4.24.10.90) 21.650 ms 19.385 ms 18.679 ms
13 so-0-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.185) 25.068 ms 25.113 ms 23.617 ms
14 so-7-0-0.washdc3-nbr1.bbnplanet.net (4.24.10.29) 25.141 ms 23.407 ms 25.748 ms
15 p2-0.washdc3-cr11.bbnplanet.net (4.24.10.22) 24.506 ms 24.552 ms 25.909 ms
16 p3-1.a0.wash.broadwing.net (216.140.8.41) 23.530 ms 24.698 ms 26.275 ms
17 p7-1-0.c1.wash.broadwing.net (216.140.8.93) 26.564 ms 26.359 ms 24.381 ms
18 216.140.8.105 (216.140.8.105) 30.394 ms 32.404 ms 31.498 ms
19 216.140.10.78 (216.140.10.78) 31.959 ms 30.831 ms 31.726 ms
20 67.99.58.194 (67.99.58.194) 147.052 ms 121.455 ms 34.843 ms
21 cc-edge-1.net.columbia.edu (128.59.1.1) 30.333 ms 32.877 ms 33.885 ms
22 ph8-edge-gw.net.columbia.edu (128.59.127.19) 32.614 ms 31.415 ms 33.585 ms
23 sb2-65c-r-vl-603-to-3.core.columbia.edu (156.111.3.52) 31.192 ms 30.294 ms 31.745 ms
24 156.111.255.50 (156.111.255.50) 30.180 ms 29.411 ms 30.468 ms
25 dns1.cpmc.columbia.edu (156.111.60.150) 30.314 ms 32.998 ms 33.614 ms
[root@dhcppc5 root]#
Now bring up the VPN connection and do the same traceroute (note that this time you are not prompted for a Group Password- this is because the client stored the value in the profile after the first time it connected):
[root@dhcppc5 root]# vpnclient connect cpmc
Cisco Systems VPN Client Version 3.7.3 (Rel)
Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Linux
Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Initializing the IPSec link.
Contacting the gateway at 156.111.224.55
User Authentication for cpmc...
Enter Username and Password.
Username [ ]:
Password []:
Authenticating user.
Negotiating security policies.
Securing communication channel.
AUTHORIZED USERS ONLY.
PLEASE LOG OFF IF YOU HAVE NOT BEEN PERMITTED TO ACCESS \
THE RESOURCES OF THIS NETWORK
Do you wish to continue? (y/n): y
Your link is secure.
IPSec tunnel information.
Client address: 156.111.245.1
Server address: 156.111.224.55
Encryption: 168-bit 3-DES
Authentication: HMAC-SHA
IP Compression: LZS
NAT passthrough is inactive
Local LAN Access is disabled
CTRL-Z
[1]+ Stopped vpnclient connect cpmc
[root@dhcppc5 root]# bg
[1]+ vpnclient connect cpmc &
[root@dhcppc5 root]#
Now, the traceroute:
[root@dhcppc5 root]# traceroute dns1.cpmc.columbia.edu
traceroute to dns1.cpmc.columbia.edu (156.111.60.150), 30 hops max, 38 byte packets
1 sb2-vpn-3k-1.cpmc.columbia.edu (156.111.224.55) 32.678 ms 36.999 ms 39.759 ms
2 * * *
3 ph1-65c-r-vl-600-to-3-5.core.columbia.edu (156.111.3.153) 35.624ms 34.036ms 33.919ms
4 156.111.255.150 (156.111.255.150) 34.679 ms 40.637 ms 35.834 ms
5 dns1.cpmc.columbia.edu (156.111.60.150) 35.562 ms 21.700 ms 37.290 ms
[root@dhcppc5 root]#
You can now see the traceroutes going through the VPN concentrator.
- Customizing the installation
- Startup and Shutdown of the VPN service:
If you chose to autostart the VPN service on startup and you have a compliant SYSTEM V Init setup, the installer should have installed init scripts into Runlevels 3, 4 and 5.
The files should be SOFT LINKS to the /etc/init.d/vpnclient_init script, and should look something like this:
lrwxrwxrwx 1 root root 24 Apr 6 13:29 /etc/rc3.d/S85vpnclient_init -> ../init.d/vpnclient_init
It will be the same for init level 4 and 5. The init level 4 will shut down the client.
If you did not chose to start the VPN service automatically, you can start and stop it manually with any of the following methods:
To start the service:
[root@dhcppc5 root]# service vpnclient_init start
To view its current status:
[root@dhcppc5 root]# service vpnclient_init status
To shut it down:
[root@dhcppc5 root]# service vpnclient_init stop
Or if you do not have a RedHat system, you can do it directly by:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init start
[root@dhcppc5 root]# /etc/init.d/vpnclient_init status
[root@dhcppc5 root]# /etc/init.d/vpnclient_init stop
[root@dhcppc5 root]# service vpnclient_init start
- Local LAN Access
If you want to access your local LAN while a VPN session is active, you must edit the profile to enable local LAN access:
[root@dhcppc5 root]# vi /etc/CiscoSystemsVPNClient/Profiles/cpmc.pcf
At the bottom of the main section, find the line that reads:
EnableLocalLAN=0
and change the 0 to a 1. Save the file and restart the client to access your local LAN. To verify that it is enabled, ping any of your local hosts.
- Firewall Issues
If you are running IP tables, IP Chains, IP Filters, or similar firewall software on your system, you must make certain changes to your config to allow the VPN software to work.
On a RedHat 8.0 system, you can look at the current settings of your firewall:
[root@dhcppc5 root]# iptables -L
Chain input (policy ACCEPT):
target prot opt source destination ports
ACCEPT udp ------ dns1.cpmc.columbia.edu anywhere domain -> 1025:65535
ACCEPT tcp -y---- anywhere anywhere any -> ssh
REJECT tcp -y---- anywhere anywhere any -> 0:1023
Chain forward (policy ACCEPT):
Chain output (policy ACCEPT):
[root@dhcppc5 root]#
Notice the INPUT policy only allows certain protocols and ports. You must allow UDP port 500 (isakmp) inbound in order for IPSec to work properly. There are a few ways to do this:
- If you have a RedHat system, you can use the "lokkit" utility to add port 500:udp to the allowed inbound policy.
- On another system, you may have to manually edit the iptables file(s) and/or use the "iptables" or "ipchains" tools to modify your firewall rules.
Here are some examples of what you can do:
Lokkit
[root@dhcppc5 root]# lokkit
This will bring up the lokkit tool. Select the preferred security level, then select "CUSTOMIZE". TAB over to the "Other Ports:" line and type in:
500:udp
Select "OK" and when you are back at the next screen make sure to select "OK" to save the settings.
You now must reload the firewall rules or restart the firewall for your changes to take effect. You can do this two ways; on RedHat systems:
[root@dhcppc5 root]# service iptables restart
or
[root@dhcppc5 root]# service ipchains restart
On most other Linux distributions:
[root@dhcppc5 root]# /etc/init.d/iptables restart
This should restart the firewall with the correct entries for IPSec to work. To verify the new settings, do the following:
[root@dhcppc5 root]# iptables -L
Chain input (policy ACCEPT):
|
target
|
prot opt
|
source
|
destination
|
ports
|
|
ACCEPT
|
udp ------
|
anywhere
|
anywhere
|
udp dtp:isakmp
|
| or
|
|
|
|
|
| ACCEPT |
udp ------ |
anywhere |
anywhere |
udp dtp:500 |
Now test the VPN software to verify that if it works. If there are problems, please refer to the "iptables" or "ipchains" manual pages to see how to use these tools.
On other systems or other firewalls, please refer to the user manual for your operating system or software to learn how to modify your firewall rules.
| TOP |
Instructions last updated April 8, 2003
|
|
Home