Support Requests item #677584, was opened at 2003-01-30 09:19
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751
Category: packages
Group: None
>Status: Closed
Priority: 5
Submitted By: Bob Dushok (bdushok)
Assigned to: Mike Noyes (mhnoyes)
Summary: Problems communicating via VPN
Initial Comment:
I'm attempting to configure a subnet to subnet VPN
between two Bering uclibc v1.02 firewalls and am having
difficulty. The VPN appears to be coming up, but no
traffic seems to pass through it. My systems are setup
as follows:
workstation1 - ip 10.12.0.2
|
bering gw - internal 10.12.0.1 - external 66.202.70.89
|
(internet)
|
bering gw - internal 10.1.2.200 - external 199.224.108.200
|
workstation 2 - ip 10.1.1.1
The external IPs are statically assigned, I'm not using
DHCP.
When entering ipsec auto --up vpn I receive the following:
104 "vpn" #8: STATE_MAIN_I1: initiate
106 "vpn" #8: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #8: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpn" #8: STATE_MAIN_I4: ISAKMP SA established
112 "vpn" #9: STATE_QUICK_I1: initiate
004 "vpn" #9: STATE_QUICK_I2: sent QI2, IPsec SA
established
The output of ipsec look is:
000 interface ipsec0/eth0 199.224.108.200
000
000 "vpn":
10.1.0.0/16===199.224.108.200---199.224.108.34...66.202.70.88---66.202.70.89===10.12.0.0/16
000 "vpn": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpn": policy: RSASIG+ENCRYPT+TUNNEL+PFS;
interface: eth0; erouted
000 "vpn": newest ISAKMP SA: #3; newest IPsec SA: #2;
eroute owner: #2
000
000 #3: "vpn" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 998s; newest ISAKMP
000 #2: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 23043s; newest IPSEC;
eroute owner
000 #2: "vpn" [EMAIL PROTECTED]
[EMAIL PROTECTED] [EMAIL PROTECTED]
[EMAIL PROTECTED]
It appears the VPN is up, but 10.12.0.2 can't ping
10.1.1.1 and vice versa. My conf looks as follows:
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
conn %default
type=tunnel
keyexchange=ike
keylife=8h
keyingtries=0
authby=rsasig
disablearrivalcheck=no
pfs=yes
conn vpn
left=199.224.108.200
leftsubnet=10.1.0.0/16
leftnexthop=199.224.108.34
leftfirewall=yes
right=66.202.70.89
rightsubnet=10.12.0.0/16
rightnexthop=66.202.70.88
rightfirewall=yes
auto=add
leftrsasigkey=(omitted)
rightrsasigkey=(ommitted)
I've added a zone for the VPN and have a rule similar
to the following added to the Shorewall rules:
vpnnet localnet ACCEPT
localnet vpnnet ACCEPT
(sorry I don't have the exact text of these rules)
hosts.allow does include an ALL: entry denoting the
private network on the other end of the VPN.
Do I need to perform any masquerading on the IPSEC0
interface for the nets to communicate properly?
As I was searching the mailing list, I noticed
conversations which mentioned an ipsec masquerade
kernel driver. I can't seem to locate any info on this
for Bering/uclibc. Am I missing something important?
The only modules I'm loading for masquerading came with
the Bering release (ip_conntrack_ftp, ip_conntrack_irc,
ip_nat_ftp, and ip_nat_irc).
When shorewall starts it prints a warning indicating
the zone I've created for my VPN is empty. I've
defined the zone by including the following in the
zones file:
vpnzone ipsec0
Does this warning indicate a problem?
Any suggestions would be appreciated.
TIA
Bob
----------------------------------------------------------------------
Comment By: Bob Dushok (bdushok)
Date: 2003-01-31 18:23
Message:
Logged In: YES
user_id=694924
Based on the most recent comment on this support request, it is our
understanding that this matter has been addressed. Should you
require further assistance from LEAF project members, please submit
a new support request.
Thank you,
leaf-project.org support
----------------------------------------------------------------------
Comment By: Bob Dushok (bdushok)
Date: 2003-01-31 18:23
Message:
Logged In: YES
user_id=694924
Tom,
Thank you! The missing ipsec interface (zones file) was
the problem. I've added it and the VPN is now running.
Bob
----------------------------------------------------------------------
Comment By: Tom Eastep (teastep)
Date: 2003-01-30 10:56
Message:
Logged In: YES
user_id=6546
The first time through, I missed that you have
vpnzone (sic) ipsec0
in the ZONES file. The only column in that file that
Shorewall pays any attention to is the first one. You need
to add this to the interfaces file:
extnet ipsec0
-Tom
----------------------------------------------------------------------
Comment By: Bob Dushok (bdushok)
Date: 2003-01-30 10:30
Message:
Logged In: YES
user_id=694924
Kp,
Thanks, I'll try removing left/rightfirewall=yes and will add a
rule to allow connections on ports 50 and 51.
My policy and rules are as follows:
policy:
#SOURCE DEST POLICY
LOG LEVEL LIMIT:BURST
admin net ACCEPT
fw extnet ACCEPT
admin extnet ACCEPT
extnet admin ACCEPT
fw net ACCEPT
net all DROP
info
all all REJECT
info
Rules:
ACCEPT fw net tcp
53
ACCEPT fw net udp
53
ACCEPT admin fw udp 53
ACCEPT fw net tcp
37
ACCEPT fw net tcp
25
ACCEPT net fw udp
500
Thanks,
Bob
----------------------------------------------------------------------
Comment By: Bob Dushok (bdushok)
Date: 2003-01-30 10:24
Message:
Logged In: YES
user_id=694924
Tom,
Thanks for the reply. I'm sorry if my message implied I don't
value the support you're providing. I completely forgot about
the zones, interfaces, hosts, and tunnels files but have
attached them below.
Bob
hosts:
(nothing, only comments that were present in file included
with distribution)
interfaces:
net eth0 detect
norfc1918
admin eth1 detect
routestopped
tunnels:
ipsec net 66.202.70.89/24
extnet
zones:
extnet ipsec0
net Internet
admin Admin
----------------------------------------------------------------------
Comment By: KP Kirchdörfer (kapeka)
Date: 2003-01-30 10:14
Message:
Logged In: YES
user_id=204664
Lynn Avants advice in his ipsec doc for LEAF is to omitt the left-
and rightfirewall.
I cannot see a real error in your ipsec settings, but I'm no expert.
I guess you should provide your shorewall settings, esp:
zones
interfaces
policy
rules
tunnels
I have an ipsec tunnel up and running, without touching masq.
I'm not shure, if that's all correct and safe, but it's working.
kp
----------------------------------------------------------------------
Comment By: Tom Eastep (teastep)
Date: 2003-01-30 09:41
Message:
Logged In: YES
user_id=6546
Bob,
You are asking busy people for free technical assistance yet
you can't be bothered to collect the relevant information?
(ref: "sorry I don't have the exact text of these rules")
The fact that Shorewall is reporting an empty zone is
probably a key symptom but without the contents of the
'zones', 'interfaces', 'hosts' and 'tunnels' files from your
/etc/shorewall directory it would be a wild guess to try to
tell you what might be wrong.
-Tom
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
