does anybode have an idea how to "translate the SnapGear" VPN
connection described below to m0n0Wall?
Especialy the Iptables settings below!
The SnapGear can interoperate with the Sabre Group's travel agency technology.
Setup Guidelines for Interoperating the SnapGear(TM) with the SABRE(R)
SnapGear firmware: v.1.6.1
1. Example Network Setup:
Nortel Contivity Switch
(Dynamic IP Address)
SnapGear (initiating the IPSec connection)
2. SnapGear IPSec Setup Web Page:
Enable IPSec: Checked
IPSec Interfaces: Default route
Add Connection Web Page:
Connection Name: Sabre_to_SnapGear
Use Aggressive Mode: Checked
Internal subnet/netmask: xxx.xxx.xxx.xxx/255.255.255.255
(This is the aliased interface given by Sabre)
External IP: Default route chosen
Authentication Identifier: @username_given_by_Sabre
Internal subnet/netmask: 22.214.171.124/255.255.255.0
External IP: etdvpn.sabre.com
Authentication Identifier: leave blank
Dead Peer Detection.
Use Dead Peer Detection: Checked
Delay (s): 9s
Timeout (s): 30s
Authentication Method for Automatic Keying (IKE)
Select Using a Pre-Shared Secret - (recommended)
*Note: the Authentication Identifier must begin with a "@". This is to
indicate that DNS lookups on the identifier must not be performed.
Automatic Keying (IKE) Setup
Automatically enable connection when IPSec is started: Checked
Aggressive Mode Phase 1 Settings
Diffie Helman Group: 1
Select ESP Encryption.
Type in the preshared secret given by Sabre.
Key Lifetime (hr): 1
Enable Perfect Forward Secrecy of keys: Unchecked
Negotiate Connection Attempts: Never Give Up.
3. Setup Additional Firewall Rules.
Go to the "Rule" link under the Firewall heading on the side menu
of the SnapGear's configuration web page. Select the "Custom firewall
rules are in addition to builtin rules" option and add the following
rule in the text box below:
iptables -t nat -I POSTROUTING -d 126.96.36.199/255.255.255.0 -s
192.168.160.0/255.255.255.0 -j SNAT --to-source xxx.xxx.xxx.xxx
(print as one line)
Where xxx.xxx.xxx.xxx is the aliased interface given by Sabre.
Click Submit. Removing "-s 192.168.160.0/255.255.255.0" in the
above line will allow any host to have access to the tunnel (at the
moment only packets with the source address of subnet 192.168.160.0/24
will be allowed through).
4. Save the config and then try to ping from a host on the Internal
LAN behind the SnapGear to a host on the Internal LAN behind the
Nortel Contivity Switch.
5. You will also need to run the application used to synchronise host
printing from Sabre on a host behind the SnapGear. This application is
used as a method to send keep alive packets over the tunnel to prevent
the Nortel Contivity Switch from disconnecting the tunnel after an
idle time period.