# How can I allow vpnc access in shorewall? [SOLVED]

## raylpc

I'm using vpnc instead of cisco-vpnclient (coz it doesn't work in mm-2.6.5) for remote access at work. But shorewall is blocking vpnc's port. After some research, vpnc seems to use port 500. How can I enable this port only for vpnc? (A rule or appending some command in the vpnc script). If not possible, how do I enable port 500?

Thanks,

RayLast edited by raylpc on Mon May 31, 2004 1:57 am; edited 1 time in total

----------

## raylpc

after digging deeper into the shorewall documentation, I found this page solves exactly my problem. Now I have my firewall up when connected via vpnc.  :Smile: 

----------

## TobiWan

Hi there,

I'm glad that you seem to have solved your problem since I'm rather new to VPN in general and Cisco Concentrator specifically.

My situation: I connect to a Cisco Concentrator in a non-public subnet using vpnc in order to gain routing into the Internet. The address of the VPN Gateway is 172.17.0.1, I get an address through DHCP like 172.17.x.y locally.

I have configured Shorewall like described in the single interface quick setup guide and it works fine by itself. Problem is, that it blocks the VPN connection like you experienced. If I shutdown Shorewall, the vpn connection works perfectly fine.

The tunnel interface gets an address like 10.26.80.x after connecting to the Concentrator.

I read the link you gave me and changed my Shorewall configuration but since I didn't understand a thing I did, I must have messed it up. Maybe you could help me out with some specific hints? For example: are the port numbers used in the link you gave correct? How does my zones, policy, tunnels and interface files have to look like?

thanks in advance,

Tobias

----------

## raylpc

Sure. There's indeed some changes you should make. The link only gives a general idea. I will try to make the modifications for you as follow:

 *Quote:*   

> 
> 
> On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called vpn and declare it in /etc/shorewall/zones on both systems as follows.
> 
> ZONE	DISPLAY	COMMENTS
> ...

 

Note, I only need to make changes in my own system. After all, I don't have the right to change the server's settings. Hopefully it works for you with the adaptations I made above in the quote.

----------

## TobiWan

Hooray! It works! That makes YOU the hero of the week!

Thank you so much!

regards,

Tobias

----------

## raylpc

Glad to hear that it worked for you  :Smile: 

----------

