Re: [leaf-user] nat between gateways ???

Wed, 13 Nov 2002 11:34:39 -0800 

Michael D. Schleif wrote:

For futher information, please, let me know and I will be as verbose as
necessary on a separate webpage.  Let's hope that I remember to publish
the final solution exhaustively to the list ;>
It would be nice to see the complete firewall rule dump from both machines, although in your test network you could simply flush all firewall rules on bluetrout (the Cisco "emulator"), if it's not hooked to the internet. Regardless, the firewall rules on pinktrout are a "Must see", especially given the log errors.

The complete output of "ip addr" and "ip route" from *BOTH* systems would also be very helpful.

[1] Indeed, that pesky martian problem appears to be directly related
    to the values of:

	/proc/sys/net/ipv4/conf/ipsec0/rp_filter
	/proc/sys/net/ipv4/conf/wan1/rp_filter

    Changing them from `1` to `0' resolves that issue.

[2] The current setup is to mimic the intended vpn between DCD at
    pinktrout and that pesky dicom cisco vpn, for which we are
    substituting another of our DCD's: bluetrout.

[3] Now, with that 1 -> 0 conversion and following ipsec configuration,
    SA is established on both sides.

Good news...at least it sounds like you're making progress!


[4] Neither side can ping anything on the other side.
Hmm...probably due to the dropped protocol 50 packets on pinktrout (item [7], below).

[5] routes:

    root@bluetrout:/root
    # ip route
    64.4.222.158 dev wan1  proto kernel  scope link  src 64.4.222.157
    64.4.222.158 dev ipsec0  proto kernel  scope link  src 64.4.222.157
    144.228.51.210 via 64.4.222.158 dev ipsec0  src 192.168.1.254
    64.4.197.64/26 dev eth1  scope link
    192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.254
    default via 64.4.222.158 dev wan1

    root@pinktrout:/root
    # ip route
    144.228.51.209 dev wan1  proto kernel  scope link  src 144.228.51.210
    144.228.51.209 dev ipsec0  proto kernel  scope link  src 144.228.51.210
    192.168.1.0/24 via 144.228.51.209 dev ipsec0  src 192.168.11.254
    192.168.14.0/24 dev eth1  proto kernel  scope link  src 192.168.14.254
    192.168.13.0/24 dev eth0  scope link
    192.168.12.0/24 dev eth0  scope link
    192.168.11.0/24 dev eth0  proto kernel  scope link  src 192.168.11.254
    192.168.10.0/24 dev eth0  scope link
    default via 144.228.51.209 dev wan1

Looks OK...


[6] udp port 500 & protocols 50 & 51:

    root@bluetrout:/root
    # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
    1  0  0    ACCEPT  51  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    2  0  0    ACCEPT  50  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    3  0  0    ACCEPT  51  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    4  0  0    ACCEPT  50  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    5  0  0    ACCEPT  51  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    6  0  0    ACCEPT  50  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    7  0  0    ACCEPT  51  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    8  0  0    ACCEPT  50  ------ 0xFF 0x00  *     144.228.51.210  64.4.222.157  n/a
    53 62 9756 ACCEPT  udp ------ 0xFF 0x00  wan1  0.0.0.0/0       64.4.222.157  * -> 500

    root@pinktrout:/root
    # ipchains -nvL --line-numbers | grep '\( 5[01] \|500$\)'
    50  26  6156 ACCEPT  udp  ------ 0xFF 0x00  wan1  0.0.0.0/0  144.228.51.210  * -> 500

I think you need a log accepting protocol 50 traffic on pinktrout...


[7] kern.log:

root@pinktrout:/root
# tail -f /var/log/kern.log
Nov 12 20:41:18 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62911 F=0x0000 T=54 (#56)
Nov 12 20:41:19 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62913 F=0x0000 T=54 (#56)
Nov 12 20:41:20 pinktrout kernel: Packet log: input DENY wan1 PROTO=50 64.4.222.157:65535 144.228.51.210:65535 L=136 S=0x00 I=62915 F=0x0000 T=54 (#56)

This is Very Bad...


[8] ipsec.conf
<snip>

Conf files look OK. I thought you were going to be using PSK to talk to the Cisco (you have RSA sig-keys in the conf file), but as long as the tunnel comes up, you should be OK for testing...

The main problem I see is the denied IPSec traffic on pinktrout. You don't mention which machines you tried to ping from/to...remember, you'll only be able to ping from pinktrout to machines on the 192.168.1.0/24 net other than bluetrout.

Once you get pinktrout talking to the remote network, you can start adding masq rules to try and get the networks behind pinktrout talking to the far end. With any luck, that should just work with the appropriate masq rule added to the forward rule chain.

--
Charles Steinkuehler
[EMAIL PROTECTED]




-------------------------------------------------------
This sf.net email is sponsored by: Are you worried about your web server security? Click here for a FREE Thawte Apache SSL Guide and answer your Apache SSL security needs: http://www.gothawte.com/rd523.html
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to