Re: [Leaf-user] VPN error, please help

MLU Wed, 24 Apr 2002 10:24:05 -0700

Hi Charles and Lynn. 

Thank you for your suggestions. Things are not changed much after
I did the following as you advised:


- As per Lynn's remark, I now use only one /etc/ipsec.conf on
  both sides. The FreeSWAN doc said that you may need to change 
  the line "interfaces=", but they are identical in this case
  too, i.e. both use eth0.
  So only the ipsec.secrets are different. 

- The ping I did was done on an internal machine behind the firewall,
  192.168.9.204, not on the gateway (192.168.9.254). From there 
  I tried to ping 192.168.1.202, another machine behind the
  remote gateway.

- I removed "ip_masq_ipsec" from /etc/modules. I also set 
  eth0_IP_SPOOF=NO in /etc/network.conf

- I saw some suspicious variables in /etc/network.conf but
  not sure if they affect anything in my case:

# Accept ICMP Redirects on ALL interfaces, also depends on /proc
# per interface IP forwarding flag. - YES/NO
ALLIF_ACCEPT_REDIRECTS=NO
...
# Need these both for interfaces run by daemons - ie PPP, CIPE, some
#         WAN interfaces
# IP spoofing protection by default for interfaces - YES/NO
DEF_IP_SPOOF=YES
...
eth1_IPADDR=192.168.1.254
eth1_MASKLEN=24
eth1_BROADCAST=192.168.1.255
eth1_IP_SPOOF=YES
...

- After pinging, I saw nothing particular in /var/log/auth.log
  nor in /var/log/messages on both sides.

- I think I have protocol 50, 51 and UDP port 500 set in 
  /etc/network.conf, but for sure I list the partial output from
  net ipfilter list. You may see something wrong I have here.

Extern IP: 24.83.28.213
Chain input (policy DENY: 3 packets, 734 bytes):
 pkts bytes target     prot opt    tosa tosx  ifname     mark       outsize  source    
            destination           ports
    0     0 DENY       icmp ----l- 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             5 ->   *
    0     0 DENY       icmp ----l- 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             13 ->   *
    0     0 DENY       icmp ----l- 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             14 ->   *
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           0.0.0.0   
           0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
255.255.255.255      0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
127.0.0.0/8          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
224.0.0.0/4          0.0.0.0/0             n/a
   13   528 DENY       all  ----l- 0xFF 0x00  eth0                           
10.0.0.0/8           0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
172.16.0.0/12        0.0.0.0/0             n/a
    5   280 DENY       all  ----l- 0xFF 0x00  eth0                           
192.168.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           0.0.0.0/8 
           0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
128.0.0.0/16         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
191.255.0.0/16       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
192.0.0.0/24         0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
223.255.255.0/24     0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
240.0.0.0/4          0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
192.168.9.0/24       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
192.168.3.0/24       0.0.0.0/0             n/a
    0     0 DENY       all  ----l- 0xFF 0x00  eth0                           
24.83.28.213         0.0.0.0/0             n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth0                           0.0.0.0/0 
           127.0.0.0/8           n/a
    0     0 REJECT     all  ----l- 0xFF 0x00  eth0                           0.0.0.0/0 
           192.168.9.0/24        n/a
...
11940 2123K ACCEPT     udp  ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             * ->   500
    0     0 DENY       udp  ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             * ->   67
46676 7613K ACCEPT     udp  ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             * ->   1024:65535
  466 61519 ACCEPT     icmp ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             * ->   *
    0     0 ACCEPT     ospf ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             n/a
    0     0 ACCEPT     50   ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           24.83.28.213          n/a
    0     0 ACCEPT     51   ------ 0xFF 0x00  eth0                           0.0.0.0/0 
           24.83.28.213          n/a
  108  6512 DENY       all  ----l- 0xFF 0x00  eth0                           0.0.0.0/0 
           0.0.0.0/0             n/a
    0     0 REJECT     udp  ----l- 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             * ->   161:162
    0     0 REJECT     udp  ----l- 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             161:162 ->   *
 911K   67M ACCEPT     all  ------ 0xFF 0x00  *                              0.0.0.0/0 
           0.0.0.0/0             n/a
Chain forward (policy DENY: 0 packets, 0 bytes):
...




---------- Original Message ----------------------------------
From: "Charles Steinkuehler" <[EMAIL PROTECTED]>
Date:  Wed, 24 Apr 2002 09:35:41 -0500

>
>Well, it looks like your tunnel is coming up, so I'd look at firewalling
>rules.  The behavior you're seeing can be caused if protocol 50 packets are
>being denied or rejected by one (or both) of the firewalls.  Since you're
>not setting [left|right]firewall=yes, you need to make sure you're allowing
>the ESP (protocol 50) packets between the firewalls.  Check
>/var/log/messages for denied packets, and the output of "net ipfilter list"
>for non-zero counts beside any deny/reject rules.
>
>Charles Steinkuehler
>http://lrp.steinkuehler.net
>http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)
>
>
>_______________________________________________
>Leaf-user mailing list
>[EMAIL PROTECTED]
>https://lists.sourceforge.net/lists/listinfo/leaf-user
>

_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] VPN error, please help

Reply via email to