eBox Firewall - Cisco VPN access allowing ESP

[PaulShawyer]

Hi, We're using two eBox servers as firewalls, and sorry i'm bit of a noob with Linux.  We are having problems with internal PC's using the CiscoVPN client to tunnel/connect to a few customers sites.

I've made an object on eBox object named "Cisco VPN" which contains the following...

TCP,any,13222
TCP/UDP,any,4500
TCP/UDP,any,500
TCP/UDP,any,10000

This works for a dozen other customers sites, but two customer sites just won't connect.

When looking at the var/log/syslog it seems the protocol "ESP" is possibly blocked....

ebox-firewall IN=eth1 OUT=eth0 SRC=192.168.27.114 DST=21x.4x.24x.10x LEN=216 TOS=0x00 PREC=0x00 TTL=127 ID=7 PROTO=ESP SPI=0xca2a9b22

I am aware this is a protcol like UDP or TCP, and not a port, but is this anyway to add this to the the eBox firewall.

I have found looking at a Cisco router configuration the following command...
$fwcmd add allow esp from x.x.x.x to x.x.x.x

Be grateful for your help.
Regards, Paul.

[javi]

Yeah, you are right, services should support that protocol.

If you give me a couple of days, I think i can provide you with a patch to support that, if that's fine for you.

[javi]

I've looked into it and the patch it's pretty trivial.

Just tell me which eBox version you are using and I'll send you the patch.

To make sure run:

Code: [Select]

apt-cache policy ebox-services
apt-cache policy ebox-firewall


[javi]

The nice things about open source: I've already implemented and commited to the repository this feature

[PaulShawyer]

thank you for your quick response, we are currently using 0.11.100-0ubuntu1~ppa1

Regards,
Paul.

[javi]

Hi Paul,

I don't know if you are subscribed to our mailing list but we have just released a new version which ships the changes you needed.

Thanks for lettings us know this issue