Add strongswan (4.3.6) for testing.
[people/teissler/ipfire-2.x.git] / src / patches / strongswan-4.3.6_ipfire.patch
CommitLineData
6652626c
AF
1diff -Naur strongswan-4.3.6.org/src/_updown/_updown.in strongswan-4.3.6/src/_updown/_updown.in
2--- strongswan-4.3.6.org/src/_updown/_updown.in 2009-09-27 21:50:42.000000000 +0200
3+++ strongswan-4.3.6/src/_updown/_updown.in 2010-03-20 18:44:11.000000000 +0100
4@@ -374,10 +374,10 @@
5 # connection to me, with (left/right)firewall=yes, coming up
6 # This is used only by the default updown script, not by your custom
7 # ones, so do not mess with it; see CAUTION comment up at top.
8- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
9+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
10 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
11 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
12- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
13+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
14 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
15 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
16 #
17@@ -387,10 +387,10 @@
18 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
19 then
20 logger -t $TAG -p $FAC_PRIO \
21- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
22+ "host+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
23 else
24 logger -t $TAG -p $FAC_PRIO \
25- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
26+ "host+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
27 fi
28 fi
29 ;;
30@@ -398,10 +398,10 @@
31 # connection to me, with (left/right)firewall=yes, going down
32 # This is used only by the default updown script, not by your custom
33 # ones, so do not mess with it; see CAUTION comment up at top.
34- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
35+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
36 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
37 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
38- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
39+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
40 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
41 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
42 #
43@@ -411,10 +411,10 @@
44 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
45 then
46 logger -t $TAG -p $FAC_PRIO -- \
47- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
48+ "host- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME"
49 else
50 logger -t $TAG -p $FAC_PRIO -- \
51- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
52+ "host- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME"
53 fi
54 fi
55 ;;
56@@ -424,10 +424,10 @@
57 # ones, so do not mess with it; see CAUTION comment up at top.
58 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
59 then
60- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
61+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
62 -s $PLUTO_MY_CLIENT $S_MY_PORT \
63 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
64- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
65+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
66 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
67 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
68 fi
69@@ -436,10 +436,10 @@
70 # or sometimes host access via the internal IP is needed
71 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
72 then
73- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
74+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
75 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
76 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
77- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
78+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
79 -s $PLUTO_MY_CLIENT $S_MY_PORT \
80 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
81 fi
82@@ -450,12 +450,27 @@
83 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
84 then
85 logger -t $TAG -p $FAC_PRIO \
86- "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
87+ "client+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
88 else
89 logger -t $TAG -p $FAC_PRIO \
90- "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
91+ "client+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
92 fi
93 fi
94+
95+ #
96+ # Open Firewall for ESP Traffic
97+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p ESP \
98+ -s $PLUTO_PEER $S_PEER_PORT \
99+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
100+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p ESP \
101+ -d $PLUTO_PEER $S_PEER_PORT \
102+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
103+ if [ $VPN_LOGGING ]
104+ then
105+ logger -t $TAG -p $FAC_PRIO \
106+ "ESP+ $PLUTO_PEER -- $PLUTO_ME"
107+ fi
108+
109 ;;
110 down-client:iptables)
111 # connection to client subnet, with (left/right)firewall=yes, going down
112@@ -463,11 +478,11 @@
113 # ones, so do not mess with it; see CAUTION comment up at top.
114 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ]
115 then
116- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
117+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
118 -s $PLUTO_MY_CLIENT $S_MY_PORT \
119 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
120 $IPSEC_POLICY_OUT -j ACCEPT
121- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
122+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
123 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
124 -d $PLUTO_MY_CLIENT $D_MY_PORT \
125 $IPSEC_POLICY_IN -j ACCEPT
126@@ -477,11 +492,11 @@
127 # or sometimes host access via the internal IP is needed
128 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
129 then
130- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
131+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
132 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
133 -d $PLUTO_MY_CLIENT $D_MY_PORT \
134 $IPSEC_POLICY_IN -j ACCEPT
135- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
136+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
137 -s $PLUTO_MY_CLIENT $S_MY_PORT \
138 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
139 $IPSEC_POLICY_OUT -j ACCEPT
140@@ -493,12 +508,27 @@
141 if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ]
142 then
143 logger -t $TAG -p $FAC_PRIO -- \
144- "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
145+ "client- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
146 else
147 logger -t $TAG -p $FAC_PRIO -- \
148- "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
149+ "client- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT"
150 fi
151 fi
152+
153+ #
154+ # Close Firewall for ESP Traffic
155+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p ESP \
156+ -s $PLUTO_PEER $S_PEER_PORT \
157+ -d $PLUTO_ME $D_MY_PORT -j ACCEPT
158+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p ESP \
159+ -d $PLUTO_PEER $S_PEER_PORT \
160+ -s $PLUTO_ME $D_MY_PORT -j ACCEPT
161+ if [ $VPN_LOGGING ]
162+ then
163+ logger -t $TAG -p $FAC_PRIO \
164+ "ESP- $PLUTO_PEER -- $PLUTO_ME"
165+ fi
166+
167 ;;
168 #
169 # IPv6
170@@ -533,10 +563,10 @@
171 # connection to me, with (left/right)firewall=yes, coming up
172 # This is used only by the default updown script, not by your custom
173 # ones, so do not mess with it; see CAUTION comment up at top.
174- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
175+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
176 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
177 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
178- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
179+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
180 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
181 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
182 #
183@@ -557,10 +587,10 @@
184 # connection to me, with (left/right)firewall=yes, going down
185 # This is used only by the default updown script, not by your custom
186 # ones, so do not mess with it; see CAUTION comment up at top.
187- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
188+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
189 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
190 -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
191- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
192+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
193 -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \
194 -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT
195 #
196@@ -583,10 +613,10 @@
197 # ones, so do not mess with it; see CAUTION comment up at top.
198 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
199 then
200- ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
201+ ip6tables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
202 -s $PLUTO_MY_CLIENT $S_MY_PORT \
203 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
204- ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
205+ ip6tables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
206 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
207 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
208 fi
209@@ -595,10 +625,10 @@
210 # or sometimes host access via the internal IP is needed
211 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
212 then
213- ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
214+ ip6tables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
215 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
216 -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT
217- ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
218+ ip6tables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
219 -s $PLUTO_MY_CLIENT $S_MY_PORT \
220 -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT
221 fi
222@@ -622,11 +652,11 @@
223 # ones, so do not mess with it; see CAUTION comment up at top.
224 if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ]
225 then
226- ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
227+ ip6tables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
228 -s $PLUTO_MY_CLIENT $S_MY_PORT \
229 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
230 $IPSEC_POLICY_OUT -j ACCEPT
231- ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
232+ ip6tables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
233 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
234 -d $PLUTO_MY_CLIENT $D_MY_PORT \
235 $IPSEC_POLICY_IN -j ACCEPT
236@@ -636,11 +666,11 @@
237 # or sometimes host access via the internal IP is needed
238 if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ]
239 then
240- ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
241+ ip6tables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
242 -s $PLUTO_PEER_CLIENT $S_PEER_PORT \
243 -d $PLUTO_MY_CLIENT $D_MY_PORT \
244 $IPSEC_POLICY_IN -j ACCEPT
245- ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
246+ ip6tables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
247 -s $PLUTO_MY_CLIENT $S_MY_PORT \
248 -d $PLUTO_PEER_CLIENT $D_PEER_PORT \
249 $IPSEC_POLICY_OUT -j ACCEPT
250diff -Naur strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark strongswan-4.3.6/src/_updown_espmark/_updown_espmark
251--- strongswan-4.3.6.org/src/_updown_espmark/_updown_espmark 2009-09-27 21:50:42.000000000 +0200
252+++ strongswan-4.3.6/src/_updown_espmark/_updown_espmark 2010-03-15 18:52:28.000000000 +0100
253@@ -247,10 +247,10 @@
254 ESP_MARK=50
255
256 # add the following static rule to the INPUT chain in the mangle table
257-# iptables -t mangle -A INPUT -p 50 -j MARK --set-mark 50
258+# iptables -t mangle -A IPSECINPUT -p 50 -j MARK --set-mark 50
259
260 # NAT traversal via UDP encapsulation is supported with the rule
261-# iptables -t mangle -A INPUT -p udp --dport 4500 -j MARK --set-mark 50
262+# iptables -t mangle -A IPSECINPUT -p udp --dport 4500 -j MARK --set-mark 50
263
264 # in the presence of KLIPS and ipsecN interfaces do not use ESP mark rules
265 if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ]
266@@ -325,10 +325,10 @@
267 up-host:*)
268 # connection to me coming up
269 # If you are doing a custom version, firewall commands go here.
270- iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
271+ iptables -I IPSECINPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
272 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
273 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
274- iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
275+ iptables -I IPSECOUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
276 -s $PLUTO_ME $S_MY_PORT \
277 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
278 #
279@@ -346,10 +346,10 @@
280 # If you are doing a custom version, firewall commands go here.
281 # connection to me going down
282 # If you are doing a custom version, firewall commands go here.
283- iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
284+ iptables -D IPSECINPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
285 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
286 -d $PLUTO_ME $D_MY_PORT $CHECK_MARK -j ACCEPT
287- iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
288+ iptables -D IPSECOUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
289 -s $PLUTO_ME $S_MY_PORT \
290 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
291 #
292@@ -365,10 +365,10 @@
293 up-client:)
294 # connection to my client subnet coming up
295 # If you are doing a custom version, firewall commands go here.
296- iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
297+ iptables -I IPSECFORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
298 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
299 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
300- iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
301+ iptables -I IPSECFORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
302 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
303 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
304 $CHECK_MARK -j ACCEPT
305@@ -385,10 +385,10 @@
306 down-client:)
307 # connection to my client subnet going down
308 # If you are doing a custom version, firewall commands go here.
309- iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
310+ iptables -D IPSECFORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \
311 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $S_MY_PORT \
312 -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $D_PEER_PORT -j ACCEPT
313- iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
314+ iptables -D IPSECFORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \
315 -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK $S_PEER_PORT \
316 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK $D_MY_PORT \
317 $CHECK_MARK -j ACCEPT