vpn under linux
不知道关不管用 先记下来再说
http://kor.cpmc.columbia.edu/vpn/linux-how-to.html
Linux VPN Client HOW-TO
Installing the Cisco VPN Client under Linux
These instructions were tested on a RedHat 8.0 system (laptop) with a custom Kernel. However it should work on any Linux distribution.
The following is a summary of what you will need to do and minimum requirements…
1. Obtain the client software
2. Unpack the tarball
3. Configure the software
4. Personalize the installation
5. Test the software
6. Customizing the installation
You will need the following before we begin:
A. A working network connection. This means you should be able to connect to sites on The Internet. For example:
[root@dhcppc5 root]# ping www.yahoo.com
PING www.yahoo.akadns.net (216.109.125.70) from 192.168.0.6 : 56(84) bytes of data.
64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=1 ttl=45 time=30.7 ms 64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=2 ttl=45 time=32.0 ms 64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=3 ttl=45 time=31.2 ms 64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=4 ttl=45 time=30.5 ms 64 bytes from w17.www.dcn.yahoo.com (216.109.125.70): icmp_seq=5 ttl=45 time=31.0 ms
--- www.yahoo.akadns.net ping statistics ---
5 packets transmitted, 5 received, 0% loss, time 4012ms rtt min/avg/max/mdev = 30.508/31.126/32.024/0.571 ms [root@dhcppc5 root]#
B. Linux operating system. Kernel should be at least 2.2.x. To find out what your current system is running, do the following:
[root@dhcppc5 root]# uname -a Linux dhcppc5 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686 i686 i386 GNU/Linux [root@dhcppc5 root]#
First column displays the system type, next column is the current hostname followed by the kernel version.
C. A working GNU “tar” or “tar” and GNU “gzip”.
[root@dhcppc5 vpnclient]# tar --version tar (GNU tar) 1.13.25
This version is good enough.
D. VPN Group ID and Group shared password. You can get these from the helpdesk by calling 212-305-HELP (4357)
E. A working web browser such as Mozilla, Netscape, Galeon, Konqueror or the commandline Lynx browser. Alternatively, you can use “wget” if it is available on your system. This installation will use “wget” as it is the easiest of the methods. I will also show you how to get the software via a standard web browser. To see if you have “wget” do the following:
[root@dhcppc5 vpnclient]# wget --version GNU Wget 1.8.2
If you do not get this or a similar response, please follow the instructions on how to get the software using a standard browse.
You are now ready to begin the installation.
1. Obtain the software
Now let’s download the software. At your terminal prompt type the following:
(Watch out for word wrap. This command is all one line…)
[root@dhcppc5 root]# wget http://kor.cpmc.columbia.edu/vpn/vpnclient-linux-3.7.3.A-k9.tar.gz
You should then see the following output
--13:15:32-- http://kor.cpmc.columbia.edu/vpn/vpnclient-linux-3.7.3.A-k9.tar.gz => `vpnclient-linux-3.7.3.A-k9.tar.gz' Resolving kor.cpmc.columbia.edu... done. Connecting to kor.cpmc.columbia.edu[156.111.100.200]:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1,192,910 [application/x-tar] 100%[========================== ==============================>] 1,192,910 80.35K/s ETA 00:00 13:15:48 (80.35 KB/s) - `vpnclient-linux-3.7.3.A-k9.tar.gz' saved [1192910/1192910] [root@dhcppc5 root]#
Now let’s verify the downloaded file:
[root@dhcppc5 root]# ls -la vpnclient-linux-3.7.3.A-k9.tar.gz -rw-r--r-- 1 root root 1192910 Feb 10 14:52 vpnclient-linux-3.7.3.A-k9.tar.gz [root@dhcppc5 root]#
Looks good. Now we move on to unpacking the software.
2. Unpack the tarball
You will now unpack the compressed tarball. At the prompt, do the following:
[root@dhcppc5 root]# tar zxvf vpnclient-linux-3.7.3.A-k9.tar.gz
This will produce the following output:
vpnclient/ vpnclient/cisco_cert_mgr vpnclient/vpnclient vpnclient/cvpnd vpnclient/ipseclog vpnclient/vpn_install vpnclient/vpnclient_init vpnclient/driver_build.sh vpnclient/vpn_uninstall vpnclient/sample.pcf vpnclient/vpnclient.ini.in vpnclient/license.txt vpnclient/interceptor.c vpnclient/linuxcniapi.c vpnclient/linuxcniapi.h vpnclient/vpn_ioctl_linux.h vpnclient/IPSecDrvOS_linux.c vpnclient/linux_os.h vpnclient/frag.h vpnclient/frag.c vpnclient/GenDefs.h vpnclient/mtu.h vpnclient/IPSecDrvOSFunctions.h vpnclient/IPSecDrvOS_linux.h vpnclient/Cniapi.h vpnclient/config.h vpnclient/libdriver.so [root@dhcppc5 root]#
If you do not get this output and instead you get errors, you probably do not have GNU “tar” installed or it is an older version which does not support GZIP compressed tarballs. You can use “gzip -d file.tar.gz” to uncompress the tarball and then “tar -xvf file.tar” to untar the tarball.
3. Configure the software
Now you can configure the software. Change directory to the newly created VPNCLIENT directory:
[root@dhcppc5 root]# cd vpnclient [root@dhcppc5 vpnclient]#
Type “ls” to see the files within:
[root@dhcppc5 vpnclient]# ls cisco_cert_mgr frag.h ipseclog mtu.h vpn_ioctl_linux.h Cniapi.h GenDefs.h libdriver.so sample.pcf vpn_uninstall config.h interceptor.c license.txt vpnclient cvpnd IPSecDrvOSFunctions.h linuxcniapi.c vpnclient.ini.in driver_build.sh IPSecDrvOS_linux.c linuxcniapi.h vpnclient_init frag.c IPSecDrvOS_linux.h linux_os.h vpn_install [root@dhcppc5 vpnclient]#
Good, we are now ready to run the VPN Client Install utility. At the prompt, type the following:
[root@dhcppc5 vpnclient]# ./vpn_install
This will begin the Cisco VPN Client install utility which is menu driven. I will go through each of the prompts and explain what needs to be done at each step.
Cisco Systems VPN Client Version 3.7.3 (Rel) Linux Installer Copyright (C) 1998-2001 Cisco Systems, Inc. All Rights Reserved.
By installing this product you agree that you have read the license.txt file (The VPN Client license) and will comply with its terms.
Directory where binaries will be installed [/usr/local/bin]
Take the default (hit ENTER)
Automatically start the VPN service at boot time [yes]
I would say yes to this (hit ENTER for default) But it is up to you if you want to start it manually. I will explain how further down the document.
Next you will see:
In order to build the VPN kernel module, you must have the kernel headers for the version of the kernel you are running.
For RedHat 6.x users these files are installed in /usr/src/linux by default For RedHat 7.x users these files are installed in /usr/src/linux-2.4 by default For Suse 7.3 users these files are installed in /usr/src/linux-2.4.10.SuSE by default
Directory containing linux kernel source code [/lib/modules/2.4.18-14custom/build]
The installer is pretty good at figuring out what the running kernel is and where the source files are. If it is correct for your installation go ahead and hit ENTER.
You now will get a summary of what you just answered and you should verify the settings are correct. If so, hit ENTER to take the default:
* Binaries will be installed in "/usr/local/bin". * Modules will be installed in "/lib/modules/2.4.18-14custom/CiscoVPN". * The VPN service will be started AUTOMATICALLY at boot time. * Kernel source from "/lib/modules/2.4.18-14custom/build" will be used to build the module.
Is the above correct [y]
Shutting down /usr/local/bin/vpnclient: Done Stopped: /etc/init.d/vpnclient_init (VPN init script Making module Copying module to directory "/lib/modules/2.4.18-14custom/CiscoVPN". Creating start/stop script "/etc/init.d/vpnclient_init". Enabling start/stop script for run level 3,4 and 5. Updating VPN configuration file "/etc/CiscoSystemsVPNClient/vpnclient.ini". Installing license.txt (VPN Client license) in "/etc/CiscoSystemsVPNClient/": Installing bundled user profiles in "/etc/CiscoSystemsVPNClient/Profiles/": Copying binaries to directory "/usr/local/bin". Setting permissions.
/usr/local/bin/cvpnd (setuid root) /etc/CiscoSystemsVPNClient (world writeable) /etc/CiscoSystemsVPNClient/Profiles (world writeable) /etc/CiscoSystemsVPNClient/Certificates (world writeable)
* You may wish to change these permissions to restrict access to root. * You must run "/etc/init.d/vpnclient_init start" before using the client. * This script will be run AUTOMATICALLY every time you reboot your computer.
[root@dhcppc5 vpnclient]#
We are almost done. Now we will need to configure the client with a profile for connecting to the VPN concentrator and making a secure IPSec connection.
Let’s first copy the sample profile to the one we will be using:
[root@dhcppc5 vpnclient]# cd /etc/CiscoSystemsVPNClient/Profiles/ [root@dhcppc5 Profiles]# cp sample.pcf cpmc.pcf [root@dhcppc5 Profiles]#
4. Personalize the installation
Now we must edit the newly created profile. I use the “vi” editor but you can use any TEXT editor you chose. Here is what the file should look like when you first open it:
[root@dhcppc5 Profiles]# vi cpmc.pcf
[main] Description=sample user profile Host=10.212.20.52 AuthType=1 GroupName=monkeys EnableISPConnect=0 ISPConnectType=0 ISPConnect= ISPCommand= Username=chimchim SaveUserPassword=0 EnableBackup=0 BackupServer= EnableNat=0 CertStore=0 CertName= CertPath= CertSubjectName= CertSerialHash=00000000000000000000000000000000 DHGroup=2 ForceKeepAlives=0
In the [Main] section of the file, you will change the following lines:
Description=CPMC VPN Concentrator Host=156.111.224.55 GroupName=nyp.org Username=abc9001
Replace username “abc9001″ with your actual UID which is either your email UID or one provided to you when you applied for a VPN account.
Save the file. Once the file is saved, make sure the file name is correct and the permissions are properly set:
[root@dhcppc5 Profiles]# ls -la total 16 drwxrwxrwx 2 root root 4096 Apr 6 13:56 . drwxrwxrwx 4 root root 4096 Apr 6 13:29 .. -rw-r--r-- 1 root root 691 Apr 6 13:35 cpmc.pcf -rw-rw-rw- 1 root root 349 Apr 6 13:29 sample.pcf [root@dhcppc5 Profiles]#
Looks good. We are now ready to fire up the VPN service and start a client session.
5. Testing the VPN client
Now we will actually make a VPN (IPSec) connection to our network and test functionality. The VPN software is configured with a profile that will let traffic destined for the Instituion to go via the IPSec tunnel and all other traffic (such as connections to Google or CNN or Yahoo for example) to continue unencrypted directly via your ISP.
Lets start the VPN service:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init start Starting /usr/local/bin/vpnclient: Module cisco_ipsec loaded Done [root@dhcppc5 root]#
Let us verify that it is running:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init status Module Size Used by Tainted: P cisco_ipsec 399360 0 (unused)
cipsec0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 BROADCAST MULTICAST MTU:1400 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@dhcppc5 root]#
Looks good, we have a new working VPN network interface. Lets now make our connection to the VPN concentrator. The first time you connect, you will be asked for the Group Password. This was provided to you by the helpdesk. If you do not have it, please contact the helpdesk for it.
[root@dhcppc5 root]# vpnclient connect cpmc Cisco Systems VPN Client Version 3.7.3 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux
Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Enter a group password:
Enter the group password then hit ENTER
Initializing the IPSec link. Contacting the gateway at 156.111.224.55 User Authentication for cpmc...
Enter Username and Password.
Username [abc9001]:
Hit ENTER to accept default. If this is not correct, please type in the correct ID. Now hit ENTER. You will be prompted for a password:
Password []:
Type your password. You will not receive feedback so be careful when typing your password. You will now see the following output:
Authenticating user. Negotiating security policies. Securing communication channel. AUTHORIZED USERS ONLY. PLEASE LOG OFF IF YOU HAVE NOT BEEN PERMITTED TO ACCESS THE RESOURCES OF THIS NETWORK Do you wish to continue? (y/n): y
You have successfully connected to the concentrator. Type "y" and hit ENTER to accept and continue. You will then receive information about your connection:
Your link is secure.
IPSec tunnel information. Client address: 156.111.245.1 Server address: 156.111.224.55 Encryption: 168-bit 3-DES Authentication: HMAC-SHA IP Compression: LZS NAT passthrough is inactive Local LAN Access is disabled
This will remain on screen for the duration of the connection. At this point you can suspend the client to the background with CTRL-Z; then type “bg” and hit ENTER to send the application to the background. You can then see the status of the connection with the following command:
[root@dhcppc5 root]# vpnclient stat Cisco Systems VPN Client Version 3.7.3 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
IPSec tunnel information. Connection Entry: cpmc Client address: 156.111.245.1 Server address: 156.111.224.55 Encryption: 168-bit 3-DES Authentication: HMAC-SHA IP Compression: LZS NAT passthrough is inactive Local LAN Access is disabled
VPN traffic summary. Time connected: 0 day(s), 00:02.52 Bytes in: 0 Bytes out: 0 Packets encrypted: 0 Packets decrypted: 0 Packets bypassed: 27 Packets discarded: 0
Configured routes. Secured Network Destination Netmask Bytes * 156.111.224.55 255.255.255.255 0 156.111.0.0 255.255.0.0 0 156.145.0.0 255.255.0.0 0 140.251.0.0 255.255.0.0 0 143.104.0.0 255.255.0.0 0 10.0.0.0 255.0.0.0 0 128.59.0.0 255.255.0.0 0 129.236.0.0 255.255.0.0 0 160.39.0.0 255.255.0.0 0
[root@dhcppc5 root]#
To disconnect the connection, do the following:
[root@dhcppc5 root]# vpnclient disconnect
Cisco Systems VPN Client Version 3.7.3 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Disconnecting the IPSEC link. Your IPSec link has been disconnected.
[root@dhcppc5 root]# Your IPSec link has been disconnected.
[1]+ Exit 17 vpnclient connect cpmc
[root@dhcppc5 root]#
To verify if traffic is flowing through the tunnel, let’s do a simple test. We will do a BEFORE and AFTER traceroute to a well known host inside the institution; our PRIMARY DNS server:
[root@dhcppc5 root]# traceroute dns1.cpmc.columbia.edu traceroute to dns1.cpmc.columbia.edu (156.111.60.150), 30 hops max, 38 byte packets 1 192.168.0.1 (192.168.0.1) 3.334 ms 3.291 ms 3.213 ms 2 10.32.51.1 (10.32.51.1) 19.808 ms 21.554 ms 21.144 ms 3 G3-0.EDGE-RTR1.NY325.verizon-gni.net (130.81.64.66) 18.225 ms 20.235 ms 18.576 ms 4 ge-1-2-0-0.CORE-RTR1.NY325.verizon-gni.net (130.81.4.41) 19.216ms 18.287ms 18.027 ms 5 so-0-0-0-0.BB-RTR2.NY325.verizon-gni.net (130.81.8.45) 18.764 ms 17.661 ms 6.484 ms 6 so-0-3-0-0.BB-RTR2.NY60.verizon-gni.net (130.81.8.54) 18.329 ms 19.767 ms 19.714 ms 7 130.81.4.22 (130.81.4.22) 18.593 ms 20.222 ms 20.534 ms 8 p7-1.nycmny1-cr9.bbnplanet.net (4.24.188.89) 21.114 ms 20.706 ms 21.444 ms 9 p1-0.nycmny1-nbr1.bbnplanet.net (4.24.8.161) 21.954 ms 20.718 ms 18.725 ms 10 p15-0.nycmny1-nbr2.bbnplanet.net (4.24.10.210) 21.289 ms 18.803 ms 17.888 ms 11 p9-0.phlapa1-br1.bbnplanet.net (4.24.10.177) 20.469 ms 21.697 ms 20.835 ms 12 p15-0.phlapa1-br2.bbnplanet.net (4.24.10.90) 21.650 ms 19.385 ms 18.679 ms 13 so-0-0-0.washdc3-nbr2.bbnplanet.net (4.24.10.185) 25.068 ms 25.113 ms 23.617 ms 14 so-7-0-0.washdc3-nbr1.bbnplanet.net (4.24.10.29) 25.141 ms 23.407 ms 25.748 ms 15 p2-0.washdc3-cr11.bbnplanet.net (4.24.10.22) 24.506 ms 24.552 ms 25.909 ms 16 p3-1.a0.wash.broadwing.net (216.140.8.41) 23.530 ms 24.698 ms 26.275 ms 17 p7-1-0.c1.wash.broadwing.net (216.140.8.93) 26.564 ms 26.359 ms 24.381 ms 18 216.140.8.105 (216.140.8.105) 30.394 ms 32.404 ms 31.498 ms 19 216.140.10.78 (216.140.10.78) 31.959 ms 30.831 ms 31.726 ms 20 67.99.58.194 (67.99.58.194) 147.052 ms 121.455 ms 34.843 ms 21 cc-edge-1.net.columbia.edu (128.59.1.1) 30.333 ms 32.877 ms 33.885 ms 22 ph8-edge-gw.net.columbia.edu (128.59.127.19) 32.614 ms 31.415 ms 33.585 ms 23 sb2-65c-r-vl-603-to-3.core.columbia.edu (156.111.3.52) 31.192 ms 30.294 ms 31.745 ms 24 156.111.255.50 (156.111.255.50) 30.180 ms 29.411 ms 30.468 ms 25 dns1.cpmc.columbia.edu (156.111.60.150) 30.314 ms 32.998 ms 33.614 ms [root@dhcppc5 root]#
Now we will bring up our VPN connection and do the same traceroute:
(note this time we were not prompted for a Group Password. This is because the client stored the value in the profile after the first time we connected)
[root@dhcppc5 root]# vpnclient connect cpmc Cisco Systems VPN Client Version 3.7.3 (Rel) Copyright (C) 1998-2002 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Linux Running on: Linux 2.4.18-14custom #3 Sun Mar 30 07:18:12 EST 2003 i686
Initializing the IPSec link. Contacting the gateway at 156.111.224.55 User Authentication for cpmc...
Enter Username and Password.
Username [abc9001]: Password []: Authenticating user. Negotiating security policies. Securing communication channel. AUTHORIZED USERS ONLY. PLEASE LOG OFF IF YOU HAVE NOT BEEN PERMITTED TO ACCESS THE RESOURCES OF THIS NETWORK Do you wish to continue? (y/n): y
Your link is secure.
IPSec tunnel information. Client address: 156.111.245.1 Server address: 156.111.224.55 Encryption: 168-bit 3-DES Authentication: HMAC-SHA IP Compression: LZS NAT passthrough is inactive Local LAN Access is disabled
CTRL-Z
[1]+ Stopped vpnclient connect cpmc [root@dhcppc5 root]# bg [1]+ vpnclient connect cpmc & [root@dhcppc5 root]#
Now the traceroute:
[root@dhcppc5 root]# traceroute dns1.cpmc.columbia.edu traceroute to dns1.cpmc.columbia.edu (156.111.60.150), 30 hops max, 38 byte packets 1 sb2-vpn-3k-1.cpmc.columbia.edu (156.111.224.55) 32.678 ms 36.999 ms 39.759 ms 2 * * * 3 ph1-65c-r-vl-600-to-3-5.core.columbia.edu (156.111.3.153) 35.624ms 34.036ms 33.919ms 4 156.111.255.150 (156.111.255.150) 34.679 ms 40.637 ms 35.834 ms 5 dns1.cpmc.columbia.edu (156.111.60.150) 35.562 ms 21.700 ms 37.290 ms [root@dhcppc5 root]#
We now see the traceroutes going through the VPN concentrator.
6. Customizing the installation
- A. Startup and shutdown of the VPN service
- B. Local LAN Access
- C. Firewall Issues
A. Startup and Shutdown of the VPN service
If you chose to autostart the VPN service on startup and you have a compliant SYSTEM V Init setup, the installer should have installed init scripts into Runlevels 3, 4 and 5.
The files should be SOFT LINKS to the /etc/init.d/vpnclient_init script. The file should look something like this:
lrwxrwxrwx 1 root root 24 Apr 6 13:29 /etc/rc3.d/S85vpnclient_init -> ../init.d/vpnclient_init
It will be the same for init level 4 and 5. The init level 4 will shut down the client.
If you did not chose to start the VPN service automatically, you can start and stop it manually with any of the following methods:
To start the service:
[root@dhcppc5 root]# service vpnclient_init start
To view its current status:
[root@dhcppc5 root]# service vpnclient_init status
To shut it down:
[root@dhcppc5 root]# service vpnclient_init stop
Or if you do not have a RedHat system, you can do it directly by:
[root@dhcppc5 root]# /etc/init.d/vpnclient_init start [root@dhcppc5 root]# /etc/init.d/vpnclient_init status [root@dhcppc5 root]# /etc/init.d/vpnclient_init stop
B. Local LAN Access
If you want to access your local LAN while a VPN session is active, you need to edit your profile to enable local LAN access:
[root@dhcppc5 root]# vi /etc/CiscoSystemsVPNClient/Profiles/cpmc.pcf
At the bottom of the main section, find the line that reads:
EnableLocalLAN=0
and change the 0 to a 1. Save the file and restart the client to access your local lan. To verify that it is enabled, ping any of your local hosts.
C. Firewall Issues
If you are running IP tables or IP Chains or IP Filters or similar firewall software on your workstation or laptop, you must make certain changes to your config to allow the VPN software to work.
On a RedHat 8.0 system, you can look at the current settings of your firewall by:
[root@dhcppc5 root]# iptables -L Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT udp ------ dns1.cpmc.columbia.edu anywhere domain -> 1025:65535 ACCEPT tcp -y---- anywhere anywhere any -> ssh REJECT tcp -y---- anywhere anywhere any -> 0:1023 Chain forward (policy ACCEPT): Chain output (policy ACCEPT): [root@dhcppc5 root]#
Notice the INPUT policy only allows certain protocols and ports. We need to allow UDP port 500 (isakmp) inbound in order for IPSec to work properly.
There is a couple of ways to do this. If you have a RedHat system, you can use the “lokkit” utility to add port 500:udp to the allowed inbound policy. On another system, you may have to manually edit the iptables file(s) and/or use the “iptables” or “ipchains” tools to modify your firewall rules. Here are some examples of what you can do:
Lokkit
[root@dhcppc5 root]# lokkit
This will bring up the lokkit tool. Select the security level you prefer, then select “CUSTOMIZE”. TAB over to the “Other Ports:” line and type in:
500:udp
Select “OK” and when you are back at the next screen make sure you select “OK” to save the settings.
You now must reload the firewall rules or restart the firewall for your changes to take effect. You can do this two ways; on RedHat systems:
[root@dhcppc5 root]# service iptables restart
or
[root@dhcppc5 root]# service ipchains restart
or on most other Linux distributions
[root@dhcppc5 root]# /etc/init.d/iptables restart
This should restart the firewall with the correct entries for IPSec to work. To verify the new settings, do the following:
[root@dhcppc5 root]# iptables -L Chain input (policy ACCEPT): target prot opt source destination ports ACCEPT udp ------ anywhere anywhere udp dtp:isakmp or ACCEPT udp ------ anywhere anywhere udp dtp:500
Now test your VPN software and see if it works. If you are still having problems,please refer to the “iptables” or “ipchains” manual pages to see how to use these tools.
On other systems or other firewalls, please refer to the user manual for your operating system or software to learn how to modify your firewall rules.
That’s it!
December 27th, 2006 at 12:30 am
我一直在用,呵呵