RE: [Leaf-user] ip_masq_ipsec.o for bering
Eric, I'm not a Bering user but the tasks you need to accomplish are simple. There are two ways ( in short ) to use IPSEC server and client. The IPSEC server requires the kernel be able to handle the IPSEC packets directly through either compiling IPSEC into the kernel or having IPSEC as a loadable module. The second IPSEC client (which is the one you want to do) is simply passed through your MASQ'd/NAT'd firewall/router/Bering/LEAF boxen. This requires an ip masq module, after perusing the Bering ftp site and the recently updated package list, I do not see where the ip_masq_ipsec.o module is available for Bering, it may be named ip_conntrack_ipsec.o or something of the sort, but it would have to be ip_x_ipsec.o the ip_conntrack_ftp.o and ip_conntrack_irc.o allow ftp and irc connections to pass through the box to allow these services for the client PC's. For the purpose you require you might have to drop in a Dachstein disk. The ip_masq_ipsec.o module is included by default. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec. o module to be able to do this. I have been unable to find the ip_masq_ipsec. o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing
RE: [Leaf-user] ip_masq_ipsec.o for bering
Unless you are referring to changing over to using Dachstein, I don't believe the modules will work for the Bering distribution. Surely though someone else here is running a separate IPSec server (non-gateway) that they too would need a Bering version of the ip_x_ipsec.o module to be compile for Bering. A simple task would be to track down the maintainer of the Bering dist. and ask them if there is already a module compiled, or if we should see compiling a complete set of modules for the Bering kernel base. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Wednesday, April 24, 2002 7:56 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Eric, I'm not a Bering user but the tasks you need to accomplish are simple. There are two ways ( in short ) to use IPSEC server and client. The IPSEC server requires the kernel be able to handle the IPSEC packets directly through either compiling IPSEC into the kernel or having IPSEC as a loadable module. The second IPSEC client (which is the one you want to do) is simply passed through your MASQ'd/NAT'd firewall/router/Bering/LEAF boxen. This requires an ip masq module, after perusing the Bering ftp site and the recently updated package list, I do not see where the ip_masq_ipsec.o module is available for Bering, it may be named ip_conntrack_ipsec.o or something of the sort, but it would have to be ip_x_ipsec.o the ip_conntrack_ftp.o and ip_conntrack_irc.o allow ftp and irc connections to pass through the box to allow these services for the client PC's. For the purpose you require you might have to drop in a Dachstein disk. The ip_masq_ipsec.o module is included by default. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my
[Leaf-user] pcmcia.lrp for Dachstein
hi, Does anyone have a link to the pcmcia.lrp for Dachstein? Thanks, j. -- .. . Jason C. Leach .. Current PGP/GPG Key ID: 43AD2024 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ip_masq_ipsec.o for bering
On Wed, 24 Apr 2002 00:27:23 -0400 Eric B Kiser [EMAIL PROTECTED] wrote: damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Your assumptions are correct. As Tom said, the only ip_conntrack and ip_nat (formerly ip_masq) modules available in the default kernel sources are ftp and irc. Any others will need to be applied to your kernel sources as a patch (I believe Tom pointed you at the netfilter site before), then configure your kernel to build those new options as modules and build it. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.txt As far as I have seen, Bering does not include any non-standard netfilter modules. But, since Bering and Dachstein seem to be gaining some popularity for ipsec-based systems, it never hurts to ask Jacques whether he can patch his kernel with these. Well, it won't hurt you anyways (eh, Jacques!) ;-) HTH, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
Yes, I am definetly referring to using a Dachstein diskette. ;-) Steve -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Wednesday, April 24, 2002 8:08 AM To: Steve Fink; Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Unless you are referring to changing over to using Dachstein, I don't believe the modules will work for the Bering distribution. Surely though someone else here is running a separate IPSec server (non-gateway) that they too would need a Bering version of the ip_x_ipsec.o module to be compile for Bering. A simple task would be to track down the maintainer of the Bering dist. and ask them if there is already a module compiled, or if we should see compiling a complete set of modules for the Bering kernel base. Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve Fink Sent: Wednesday, April 24, 2002 7:56 AM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Eric, I'm not a Bering user but the tasks you need to accomplish are simple. There are two ways ( in short ) to use IPSEC server and client. The IPSEC server requires the kernel be able to handle the IPSEC packets directly through either compiling IPSEC into the kernel or having IPSEC as a loadable module. The second IPSEC client (which is the one you want to do) is simply passed through your MASQ'd/NAT'd firewall/router/Bering/LEAF boxen. This requires an ip masq module, after perusing the Bering ftp site and the recently updated package list, I do not see where the ip_masq_ipsec.o module is available for Bering, it may be named ip_conntrack_ipsec.o or something of the sort, but it would have to be ip_x_ipsec.o the ip_conntrack_ftp.o and ip_conntrack_irc.o allow ftp and irc connections to pass through the box to allow these services for the client PC's. For the purpose you require you might have to drop in a Dachstein disk. The ip_masq_ipsec.o module is included by default. Best, Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf
RE: [Leaf-user] ip_masq_ipsec.o for bering
Although you could compile a kernel for your specific needs (always recommended, but not necessary), I think for your particular needs just using a module at boot time would be sufficient. Something you might consider however, if you do not specifically need something from Bering, I know that the Dachstein based LRP boxes are capable of doing this. I'm not trying to start a flame war, but I've seen this done more with help from Charles. Just a suggestion... Joey -Original Message- From: Eric B Kiser [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 11:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Respectfully, Eric -Original Message- From: joey officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 10:05 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering ahh.. I think I understand know.. so you need to have the packets passed through on the home machine so that you can make the connection to work. I understand now. There was another post earlier that mentioned the nameing difference for the Bering ipsec.o files. You might look there. I'm not familiar at all w/ Bering, but I'll be glad to assist you by looking as well, and if necessary, maybe I or someone else can compile this for you. joey At Tuesday, 23 April 2002, Eric B Kiser [EMAIL PROTECTED] wrote: Joey, Thanks for the quick reply. Here is what I am looking at... [1] I have to use IPSec client software on an NT4.0 machine from inside my network to make a connection to the company firewall/IPSec server to be able to gain remote access into my company. Since we are unable to do both pass-through and termination I am forced to set this box up to do pass-through only. [2] I am planning on setting up a second box inside my network to act as an IPSec server so that I can connect to my lab while on the road. I hope this helped to explain it a little better. Regards, Eric -Original Message- From: Joey Officer [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 23, 2002 4:54 PM To: Eric B Kiser; [EMAIL PROTECTED] Subject: RE: [Leaf-user] ip_masq_ipsec.o for bering Are you sure that you need the ip_masq_ipsec.o file. I think that this is only needed if you have an internal ipsec server. In my case I run the ipsec server (I'm sure as does everyone else) on the actual gateway server / leaf server... Joey -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eric B Kiser Sent: Tuesday, April 23, 2002 3:27 PM To: [EMAIL PROTECTED] Subject: [Leaf-user] ip_masq_ipsec.o for bering Hello All, I need to be able to make an IPSec connection through my Bering 1.0-rc1 firewall. If I understand correctly I will need the ip_masq_ipsec. o module to be able to do this. I have been unable to find the ip_masq_ipsec. o for Bering. I have already searched through all of the files in the modules section online and did not come across it. Is it already compiled in to the kernel or is it somewhere else or have I just missed it? Thanks in advance, Eric ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
After making the RSA right, I restarted the ipsec service on both side and then I try to ping a machine on 192.168.1.x from 192.168.9.x subnet but the ping times out and there is nothing in auth.log or syslog suggesting a reason. Could you please suggest what I should look at now? I am including the log messages and the config files. BTW, both ends have dynamic IPs but they do not change for long time. The left, leftnexthop, right and rightnexthop are extracted from the file /var/state/dhcp/dhclient.leases Well, it looks like your tunnel is coming up, so I'd look at firewalling rules. The behavior you're seeing can be caused if protocol 50 packets are being denied or rejected by one (or both) of the firewalls. Since you're not setting [left|right]firewall=yes, you need to make sure you're allowing the ESP (protocol 50) packets between the firewalls. Check /var/log/messages for denied packets, and the output of net ipfilter list for non-zero counts beside any deny/reject rules. Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Compact Flash
On Wed, 24 Apr 2002 10:17:22 -0400 Simon Bolduc [EMAIL PROTECTED] wrote: Don't most people log to ram? Assuming this is the case with bering (which it should be as it is a floppy dist) moving over to CF shouldn't matter unless Paul decided to log to CF - and leave his CF mounted all the time (I don't think this would work - how would he ever back up a modification??). Yes. This is what I do. Log to RAM and only back it up you you need to to do a postmortem. I would not recommend running from CF. The unique thing about LEAF is that boot media is boot media, and the running system functions the same no matter what type of bitholder you use to get the stuff into RAM. Thanks, Chad Carr ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] Compact Flash
Sorry, I didn't mean no logging. I was just warning you not consider compact flash an acceptable logging device. Many people are not happy with ramdisk capacity. Some log to a remote syslogd. I mail logs to an admin every 2 hours or 1MB. If you want to mail logs and don't want to install sendmail, given access to an SMTP server, Python and Perl have simple SMTP clients. Probably someone has written one in sh. Simon Bolduc [EMAIL PROTECTED] on 04/24/2002 09:17:22 AM To: Phillip Watts/austin/Nlynx@Nlynx, [EMAIL PROTECTED] cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Compact Flash Don't most people log to ram? Assuming this is the case with bering (which it should be as it is a floppy dist) moving over to CF shouldn't matter unless Paul decided to log to CF - and leave his CF mounted all the time (I don't think this would work - how would he ever back up a modification??). S From: [EMAIL PROTECTED] To: brooksp5 [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [Leaf-user] Compact Flash Date: Tue, 23 Apr 2002 09:42:35 -0500 Sandisk for cards and adapters. Pricewatch has good deals on the cards. Plug in to IDE primary master. They come preformatted as bootable Fat16 so a Leaf Router will just copy after you use syslinux to load the loader. Same procedure as hard disk. If you want to go ext2, I can probably advise. Remember, these devices are only writable about a million times, so no logging. brooksp5 [EMAIL PROTECTED] on 04/23/2002 07:26:26 AM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: [Leaf-user] Compact Flash Hello, I have been using both Dachstein and Bering for the last few months, I now want to start working with compact flash cards, can anyone point me in the right direction to start off. I am just looking for some general links to recomended cards and where to look for How-To's etc. I will probably be back looking for lots more information once I get started :} Thanks Paul ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user _ Join the world?s largest e-mail service with MSN Hotmail. http://www.hotmail.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ip_masq_ipsec.o for bering
Thanks for Dachstein suggestion (and, yes, Charles is amazingly patient and helpful) but I have to stick with Bering due to other requirements that I have set on myself. Specifically, the desire to learn iptables. If I end up having to figure out how to compile my own kernel then so it has to be. For the moment, however, I will go to the source... Mr. Nilo and Mr. Wolzak, how do you feel about including these patches into the Bering distribution. If this is feasible then could we expect it in the rc2 release? Awaiting your response, Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Chad Carr Sent: Wednesday, April 24, 2002 10:22 AM To: Eric B Kiser Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] ip_masq_ipsec.o for bering On Wed, 24 Apr 2002 00:27:23 -0400 Eric B Kiser [EMAIL PROTECTED] wrote: damn... I have just been sitting here staring at my monitor while the reality of what I am trying to do has dawned on me. When Tom pointed me in the direction of the files ip_conntrack_ipsec.o and ip_nat_ipsec.o I began searching for them under the assumption that I would just load them like any other module. After reading your reply things suddenly came more into focus. If I understand this correctly, then what I am actually looking for is a patch that will make these options available for when I have to recompile the kernel. At which time, I can then select to either compile them as modules or to compile them directly into the kernel. Thanks Joey, for the offer of assistance. Any and all help would be graciously received. I am still a newbie here so if someone would be kind enough to either confirm or deny my assumptions about how to go about this I would appreciate it. Your assumptions are correct. As Tom said, the only ip_conntrack and ip_nat (formerly ip_masq) modules available in the default kernel sources are ftp and irc. Any others will need to be applied to your kernel sources as a patch (I believe Tom pointed you at the netfilter site before), then configure your kernel to build those new options as modules and build it. http://www.netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO.txt As far as I have seen, Bering does not include any non-standard netfilter modules. But, since Bering and Dachstein seem to be gaining some popularity for ipsec-based systems, it never hurts to ask Jacques whether he can patch his kernel with these. Well, it won't hurt you anyways (eh, Jacques!) ;-) HTH, Chad ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ip_masq_ipsec.o for bering
Thanks for Dachstein suggestion (and, yes, Charles is amazingly patient and helpful) but I have to stick with Bering due to other requirements that I have set on myself. Specifically, the desire to learn iptables. If I end up having to figure out how to compile my own kernel then so it has to be. For the moment, however, I will go to the source... Mr. Nilo and Mr. Wolzak, how do you feel about including these patches into the Bering distribution. If this is feasible then could we expect it in the rc2 release? Apparently my previous post did not reach the list... 1/ Bering v1.0-rc2 will include ipsec support and allow your router to act as an ipsec server. 2/ As far as the client scenario is concerned, Tom mentionned in a previous post 2.4.x kernel modules most likely named ip_conntrack_ipsec.o and ip_nat_ipsec.o. I have not been able to find them in netfilter.org. Any links are welcomed. Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles and Lynn. Thank you for your suggestions. Things are not changed much after I did the following as you advised: - As per Lynn's remark, I now use only one /etc/ipsec.conf on both sides. The FreeSWAN doc said that you may need to change the line interfaces=, but they are identical in this case too, i.e. both use eth0. So only the ipsec.secrets are different. - The ping I did was done on an internal machine behind the firewall, 192.168.9.204, not on the gateway (192.168.9.254). From there I tried to ping 192.168.1.202, another machine behind the remote gateway. - I removed ip_masq_ipsec from /etc/modules. I also set eth0_IP_SPOOF=NO in /etc/network.conf - I saw some suspicious variables in /etc/network.conf but not sure if they affect anything in my case: # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO ... # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES ... eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.1.255 eth1_IP_SPOOF=YES ... - After pinging, I saw nothing particular in /var/log/auth.log nor in /var/log/messages on both sides. - I think I have protocol 50, 51 and UDP port 500 set in /etc/network.conf, but for sure I list the partial output from net ipfilter list. You may see something wrong I have here. Extern IP: 24.83.28.213 Chain input (policy DENY: 3 packets, 734 bytes): pkts bytes target prot opttosa tosx ifname mark outsize source destination ports 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 5 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 13 - * 0 0 DENY icmp l- 0xFF 0x00 * 0.0.0.0/0 0.0.0.0/0 14 - * 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 255.255.255.255 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 127.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 224.0.0.0/4 0.0.0.0/0 n/a 13 528 DENY all l- 0xFF 0x00 eth0 10.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 172.16.0.0/120.0.0.0/0 n/a 5 280 DENY all l- 0xFF 0x00 eth0 192.168.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 0.0.0.0/8 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 128.0.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 191.255.0.0/16 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.0.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 223.255.255.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 240.0.0.0/4 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.9.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.3.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 24.83.28.213 0.0.0.0/0 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 127.0.0.0/8 n/a 0 0 REJECT all l- 0xFF 0x00 eth0 0.0.0.0/0 192.168.9.0/24n/a ... 11940 2123K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 500 0 0 DENY udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 67 46676 7613K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - 1024:65535 466 61519 ACCEPT icmp -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0 * - * 0 0 ACCEPT ospf -- 0xFF 0x00 eth0 0.0.0.0/0 0.0.0.0/0
Re: [Leaf-user] VPN error, please help
Thank you for your suggestions. Things are not changed much after I did the following as you advised: - As per Lynn's remark, I now use only one /etc/ipsec.conf on both sides. The FreeSWAN doc said that you may need to change the line interfaces=, but they are identical in this case too, i.e. both use eth0. So only the ipsec.secrets are different. The previous configuration files you had looked fine...the left right portions on each end don't have to match, as long as each end can figure out whether it's supposed to be left or right as defined by it's own local configruation file. It's perfectly OK to have both sides think they're left, and the other end is right, or vise-versa... - The ping I did was done on an internal machine behind the firewall, 192.168.9.204, not on the gateway (192.168.9.254). From there I tried to ping 192.168.1.202, another machine behind the remote gateway. Good...this is how you are supposed to test. - I removed ip_masq_ipsec from /etc/modules. I also set eth0_IP_SPOOF=NO in /etc/network.conf This is good as well... - I saw some suspicious variables in /etc/network.conf but not sure if they affect anything in my case: # Accept ICMP Redirects on ALL interfaces, also depends on /proc # per interface IP forwarding flag. - YES/NO ALLIF_ACCEPT_REDIRECTS=NO ... # Need these both for interfaces run by daemons - ie PPP, CIPE, some # WAN interfaces # IP spoofing protection by default for interfaces - YES/NO DEF_IP_SPOOF=YES ... eth1_IPADDR=192.168.1.254 eth1_MASKLEN=24 eth1_BROADCAST=192.168.1.255 eth1_IP_SPOOF=YES ... All this looks OK, and shouldn't affect your IPSec link on eth0. - After pinging, I saw nothing particular in /var/log/auth.log nor in /var/log/messages on both sides. - I think I have protocol 50, 51 and UDP port 500 set in /etc/network.conf, but for sure I list the partial output from net ipfilter list. You may see something wrong I have here. It looks like you do have the required IPSec firewall rules in place: Extern IP: 24.83.28.213 Chain input (policy DENY: 3 packets, 734 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 11940 2123K ACCEPT udp -- 0xFF 0x00 eth0 0.0.0.0/00.0.0.0/0 * - 500 0 0 ACCEPT 50 -- 0xFF 0x00 eth0 0.0.0.0/024.83.28.213 n/a 0 0 ACCEPT 51 -- 0xFF 0x00 eth0 0.0.0.0/024.83.28.213 n/a Based on everything you've reported so-far, I would either suspect firewall rules on the remote gateway (you only listed one side, so there could be problems with the other end), or someone filtering IPSec traffic between your two boxes. *MANY* ISP's are beginning to filter IPSec traffic for folks who don't pay business class rates...it's easy to do, and usually prompts most actual businesses to spend 2-3 times more for services. You might want to check with local user groups, and/or any online forums discussing your particular ISP(s), and see if they might be dropping your IPSec traffic. The symptoms you're reporting are very consistent with protocol 50 traffic not making it through the network between your two VPN boxes. I don't know of an easy way to test for this...with the two LEAF boxes at either end, probabaly the easiest thing to do is run the following commands on *BOTH* VPN gateway's: ipchains -I input -p 50 -l ipchains -I output -p 50 -l This will cause *ALL* ESP (protocol 50) packets to get logged when entering and leaving your firewall. If you see packets getting sent from one mahcine, but not being recieved by the other end, you'll know something is wrong, probably the ISP at one end or the other filtering the traffic... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Thank you. -- Original Message -- From: Charles Steinkuehler [EMAIL PROTECTED] Date: Wed, 24 Apr 2002 12:58:55 -0500 Based on everything you've reported so-far, I would either suspect firewall rules on the remote gateway (you only listed one side, so there could be problems with the other end), or someone filtering IPSec traffic between your two boxes. *MANY* ISP's are beginning to filter IPSec traffic for folks who don't pay business class rates...it's easy to do, and usually prompts most actual businesses to spend 2-3 times more for services. You might want to check with local user groups, and/or any online forums discussing your particular ISP(s), and see if they might be dropping your IPSec traffic. The symptoms you're reporting are very consistent with protocol 50 traffic not making it through the network between your two VPN boxes. I don't know of an easy way to test for this...with the two LEAF boxes at either end, probabaly the easiest thing to do is run the following commands on *BOTH* VPN gateway's: ipchains -I input -p 50 -l ipchains -I output -p 50 -l This will cause *ALL* ESP (protocol 50) packets to get logged when entering and leaving your firewall. If you see packets getting sent from one mahcine, but not being recieved by the other end, you'll know something is wrong, probably the ISP at one end or the other filtering the traffic... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] Re: bering port forwarding?
Hello Joe If I understand your drawing correctly you want to forward the request on your external addres 207.5.x.y for port 80 (www) to the computer in the internal net with the ip number 192.168.1.200 In general : The information about portforwarding, you can find on the shorewall page :www.shorewall.net in this case under: documentation rules Apart form the discussion if it isn't better to put your webserver in a dmz ;) you can accomplish this by Adding a rule to shorewall -rules ACCEPT net loc:192.168.1.200 tcp www - 207.5.xx.yy or if you have an external dynamic address ACCEPT net loc:192.168.1.200 tcp www - all restart shorewall / or reload rules and you should be up . Attention you can not try it out from the local net by typing in your external address in a browser. Hello, I reciently upgraded my version of LEAF to the current Bering release. I = have an internal web server (configured with a static ip). I cannot seem = to find any documentation on how to port-forward port 80 to my internal = web server. Can you point me any where that can help me? Or do you have = any suggestions? Your help would be much appreciated. Thanks- Joe [EMAIL PROTECTED] Eric Wolzak member of the Bering crew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
Hi Charles MLu, I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? - Jon Charles Steinkuehler wrote: I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] VPN error, please help
I should probably amend that last statement - my current test setup is: 192.168.2.X - ipsec gateway {default} - 2Wire firewall - SSH Sentinel And I am experiencing the same problems that MLu mentioned. If I try to add a route on the subnet machines (ok, sigh windows), I get error 87. Do I even need to do this? Thanks, Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] VPN error, please help
I am still trying to figure out what the cause is. So far I believe that there must be something wrong in my network.conf (I have 2 internal, 1 DMZ and for IPSEC testing I had to change 192.168.1 to 192.168.9 so I could have messed something up). If I understand correctly, the ipsec should handle the routing. Charles, pls correct me if I am wrong. If I find something I will send to you and the list. Thank you. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jonathan French Sent: Wednesday, April 24, 2002 8:43 PM To: Charles Steinkuehler Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [Leaf-user] VPN error, please help Hi Charles MLu, I'm having similar problems, and have found this thread helpful. I've been wondering, do we have to declare the routing on the gateways, or shouldn't ipsec handle this? Also, what if the ipsec router is not the default gateway for a machine that you are trying to ping from elsewhere? Do the pings try to return through the wrong router? - Jon Charles Steinkuehler wrote: I strongly hope that's my mistake somewhere and not the ISP's. If the ISP blocks the IPSEC, could I connect to my office's VPN server? I still can do that before this experiment (removing ipsec module...). The bad (and probably good -:)) news is that I do not see anything logged into /var/log/messages on my site after I ping the other site. Lynn mentioned that But more likely, the route to the correct local subnet on each machine is missing . How can I detect that and how to fix it. Look at the output of ip addr, ip route, ipsec look, and ipsec barf to check your network VPN setup. Fixing any problems depends on exactly what's wrong... Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user