S2S VPN: CS-16092: Add ESP rule to iptables

Otherwise the other end cannot initiate connection.
2025-11-02 20:02:29 +01:00 · 2012-08-20 11:15:51 -07:00 · 2012-08-20 11:15:51 -07:00 · 20ccb6c1cb
commit 20ccb6c1cb
parent aa64dc5fdf
1 changed files with 2 additions and 0 deletions
--- a/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
+++ b/patches/systemvm/debian/config/opt/cloud/bin/ipsectunnel.sh
@ -68,6 +68,7 @@ check_and_enable_iptables() {
  then
      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
      sudo iptables -A INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
+      sudo iptables -A INPUT -i $outIf -p 50 -j ACCEPT
      # Prevent NAT on "marked" VPN traffic, so need to be the first one on POSTROUTING chain
      sudo iptables -t nat -I POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
  fi
@ -92,6 +93,7 @@ check_and_disable_iptables() {
    #Nobody else use s2s vpn now, so delete the iptables rules
    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 500 -j ACCEPT
    sudo iptables -D INPUT -i $outIf -p udp -m udp --dport 4500 -j ACCEPT
+    sudo iptables -D INPUT -i $outIf -p 50 -j ACCEPT
    sudo iptables -t nat -D POSTROUTING -t nat -o $outIf -m mark --mark $vpnoutmark -j ACCEPT
  fi
  return 0