[ previous ] [ next ] [ threads ]
 From:  Alen Stimec <alenstimec at gmail dot com>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  MonoWall IPSEC pls. Help
 Date:  Tue, 29 Nov 2005 09:31:58 +0200
does anybode have an idea how to "translate the SnapGear" VPN
connection described below to m0n0Wall?

Especialy the Iptables settings below!
iptables -t nat -I POSTROUTING -d -s -j SNAT --to-source xxx.xxx.xxx.xxx

Allenp.s. Im trying to get some help from the mailing list, so far my tryes 
were unsucesfull. :(

The SnapGear can interoperate with the Sabre Group's travel agency 

Setup Guidelines for Interoperating the SnapGear(TM) with the SABRE(R)
Group Network.
Date: 30-05-2002
SnapGear firmware: v.1.6.1
1. Example Network Setup:

        Internal LAN
   Nortel Contivity Switch
    (Dynamic IP Address)
         SnapGear (initiating the IPSec connection)
        Internal LAN

2. SnapGear IPSec Setup Web Page:

        Enable IPSec: Checked
        IPSec Interfaces: Default route

 Add Connection Web Page:
        General Setup.
                Connection Name: Sabre_to_SnapGear
                Use Aggressive Mode: Checked
        Local Gateway.
                Internal subnet/netmask: xxx.xxx.xxx.xxx/
                (This is the aliased interface given by Sabre)
                External IP: Default route chosen
                Authentication Identifier: @username_given_by_Sabre
        Remote Gateway.
                Internal subnet/netmask:
                External IP: etdvpn.sabre.com
                Authentication Identifier: leave blank
        Dead Peer Detection.
                Use Dead Peer Detection: Checked
                Delay (s): 9s
                Timeout (s): 30s
        Authentication Method for Automatic Keying (IKE)
                Select Using a Pre-Shared Secret - (recommended)

        *Note: the Authentication Identifier must begin with a "@". This is 
        indicate that DNS lookups on the identifier must not be performed.

 Automatic Keying (IKE) Setup
        Automatic Startup.
                Automatically enable connection when IPSec is started: 
        Aggressive Mode Phase 1 Settings
                Cipher: DES
                Diffie Helman Group: 1
                Hash: MD5
                Select ESP Encryption.
                Type in the preshared secret given by Sabre.
        Key Configuration.
                Key Lifetime (hr): 1
                Enable Perfect Forward Secrecy of keys: Unchecked
                Negotiate Connection Attempts:  Never Give Up.

3. Setup Additional Firewall Rules.

        Go to the "Rule" link under the Firewall heading on the side menu
        of the SnapGear's configuration web page. Select the "Custom 
        rules are in addition to builtin rules" option and add the following
        rule in the text box below:

        iptables -t nat -I POSTROUTING -d -s -j SNAT --to-source xxx.xxx.xxx.xxx

        (print as one line)

        Where xxx.xxx.xxx.xxx is the aliased interface given by Sabre.

        Click Submit. Removing "-s" in the
        above line will allow any host to have access to the tunnel (at the
        moment only packets with the source address of subnet
        will be allowed through).

4. Save the config and then try to ping from a host on the Internal
LAN behind the SnapGear to a host on the Internal LAN behind the
Nortel Contivity Switch.

5. You will also need to run the application used to synchronise host
printing from Sabre on a host behind the SnapGear. This application is
used as a method to send keep alive packets over the tunnel to prevent
the Nortel Contivity Switch from disconnecting the tunnel after an
idle time period.