Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!
On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] IPSEC NAT traversal with shorewall HELP!
Thanks! Ok I followed your procedure and I am getting this when I initiate the tunnel from the Victoria side: ipsec whack --initiate --name victoria 002 victoria #1: initiating Main Mode 104 victoria #1: STATE_MAIN_I1: initiate 106 victoria #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 victoria #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 victoria #1: Main mode peer ID is ID_IPV4_ADDR: '139.142.224.39' 002 victoria #1: ISAKMP SA established 004 victoria #1: STATE_MAIN_I4: ISAKMP SA established 002 victoria #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+DISABLEARRIVALCHECK 117 victoria #2: STATE_QUICK_I1: initiate 010 victoria #2: STATE_QUICK_I1: retransmission; will wait 20s for response It never completes the tunnel. Can anyone please tell me what I am missing here? Thanks in advance! Troy -Original Message- From: Lynn Avants [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 26, 2003 1:10 AM To: Troy Aden; Leaf-User ([EMAIL PROTECTED]) Subject: Re: [leaf-user] IPSEC NAT traversal with shorewall HELP! On Tuesday 25 November 2003 08:47 pm, Troy Aden wrote: [...] My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. DNS, WINS, and other forms of broadcast traffic will not work ideally across the tunnel transparently. For SMB networking, you'll likely have to link PDC's and/or WIN servers on each subnet. There is some information on this at http://leaf.sf.net/devel/guitarlynn/ipsec.txt -- ~Lynn Avants Linux Embedded Appliance Firewall Developer http://leaf.sourceforge.net http://guitarlynn.homelinux.org:81 --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] IPSEC NAT traversal with shorewall HELP!
Hello all, I have posted earlier regarding setting up an IPSEC gateway with Bering UCLIBC 2.0. I am happy to report that I have successfully setup an IPSEC tunnel between two routers (External interface only). The next step is to setup IPSEC so that I can communicate from router A's internal subnet to Router B's internal subnet. ROUTER A Eth0 = 24.78.140.* -- Eth1 = 172.16.0.0/16 I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24 network. ROUTER B Eth0 = 139.142.224.* -- Eth1 = 192.168.1.0/24 Can anyone please tell me exactly what I need to do to get this working? I will include all the relevant configs below. I realize that I may have things way to open security wise so if anyone has any pointers on how I should go about hardening this configuration please feel free to tell me. For example, what exactly do I need to have in my shorewall/rules and /policy files to allow IPSEC? (I suspect that my shorewall config is full of unnecessary rules and policies.) My goal with this configuration is to have two networks linked via IPSEC. I would expect that all users from site A will be able to communicate with all users on site B transparently meaning that for all intents and purposes users on site A's internal network would be able to communicate with users from site B's internal network as if they were on the same LAN. If I am off base in how this works, please feel free to correct me. Here is my working config: (I apologize in advance since there is a fair amount here.) Also, for the sake of saving space, I am only posting one half of the connection in this post. The other half simply has the other routers external IP entered in the /etc/shorewall/tunnels file and the IPs are switched around in the /etc/ipsec.secrets file. I have also put in a bogus secrets password to save space. :-)) Thanks in advance! To start the tunnel ipsec whack --initiate --name Victoria To stop the tunnel ipsec whack --terminate --name Victoria working configs for router -router IPSEC SITE A SIDE # # Shorewall 1.4 /etc/shorewall/zones # # This file determines your network zones. Columns are: # # ZONEShort name of the zone (5 Characters or less in length). # DISPLAY Display name of the zone # COMMENTSComments about the zone # #ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks vpn VPN Remote Networks #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE /etc/shorewall/interfaces ## #ZONEINTERFACE BROADCAST OPTIONS net eth0detect routefilter,norfc1918,tcpflags loc eth1detect vpn ipsec0 /etc/shorewall/policy ### #SOURCE DESTPOLICY LOG LEVEL LIMIT:BURST loc vpn ACCEPT vpn loc ACCEPT vpn fw ACCEPT net vpn ACCEPT vpn net ACCEPT fw vpn ACCEPT loc net ACCEPT net loc REJECT ULOG # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROPULOG all all REJECT ULOG #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE /etc/shorewall/rules #ACTION SOURCE DESTPROTO DESTSOURCE ORIGINAL # PORTPORT(S)DEST #IPSEC RULES ACCEPT net fw udp 500 ACCEPT fw net udp 500 ACCEPT vpn fw udp 500 ACCEPT fw vpn udp 500 ACCEPT vpn loc udp 500 ACCEPT loc vpn udp 500 ACCEPT vpn net udp 500 ACCEPT net vpn udp 500 ACCEPT net fw esp - ACCEPT fw net esp - ACCEPT vpn fw esp - ACCEPT fw vpn esp - ACCEPT vpn loc esp - ACCEPT loc vpn esp - ACCEPT vpn net esp - ACCEPT net vpn esp - ACCEPT net fw ah - ACCEPT fw net ah - ACCEPT vpn fw ah - ACCEPT fw vpn ah - ACCEPT vpn loc ah - ACCEPT loc vpn ah - ACCEPT vpn net ah - ACCEPT net vpn ah - # Accept DNS connections from the firewall to the network # ACCEPT fw net udp 53 ACCEPT net
Re: [leaf-user] IPSEC NAT traversal with shorewall HELP!
On Tue, 25 Nov 2003, Troy Aden wrote: The next step is to setup IPSEC so that I can communicate from router A's internal subnet to Router B's internal subnet. ROUTER A Eth0 = 24.78.140.* -- Eth1 = 172.16.0.0/16 I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24 network. ROUTER B Eth0 = 139.142.224.* -- Eth1 = 192.168.1.0/24 Can anyone please tell me exactly what I need to do to get this working? From a Shorewall point of view, much less than you are doing. As a last resort, consult the Shorewall IPSEC documentation: http://www.shorewall.net/IPSEC.htm -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html