No matter which kernel stack is used, you still need to permit IPsec traffic in and out of the Openswan host. This portion of the firewall configuration is the same for KLIPS and NETKEY. Note that it is slightly different from the table listed earlier, and now uses the INPUT/OUTPUT tables instead of the FORWARD table:
# Firewall Configuration to allow IPsec traffic to be # sent and received by this server. iptables -I INPUT -s 193.111.228.1 -d 205.150.200.209 -p udp --dport 500 -j ACCEPT iptables -I OUTPUT -s 205.150.200.209 -d 193.111.228.1 -p udp --dport 500 -j ACCEPT iptables -I INPUT -s 193.111.228.1 -d 205.150.200.209 -p udp --dport 4500 -j ACCEPT iptables -I OUTPUT -s 205.150.200.209 -d 193.111.228.1 -p udp --dport 4500 -j ACCEPT iptables -I INPUT -s 193.111.228.1 -d 205.150.200.209 -p 50 -j ACCEPT iptables -I OUTPUT -s 205.150.200.209 -d 193.111.228.1 -p 50 -j ACCEPT
These iptables
commands are basic—you can further narrow down traffic by...