[leaf-user] VPN Tunnel up but *no* traffic across connection?
Hello! I have created a certificate-based tunnel between a Leaf firewall and a Windows client using either the Windows 2000 VPN tool (http://vpn.ebootis.de/) or SSH Sentinel. In both cases, the client software establishes the connection, and according to Leaf's auth.log, the tunnel is 100% established. However, no traffic seems to come from the Leaf firewall to the Windows client. There are no entries in shorewall.log, or any other log entry. From the Windows computer, when I ping or browse a computer behind the Leaf side of the VPN, it times out. The external interface of the Leaf box blinks, but the internal one does not. If I ping from a (Windows) client on the Leaf side to the Windows client, I get a response: Response from 10.154.19.254: Port not available (or something like that: I'll try to get it back again). The external interface does not blink. It seems that the tunnel is up, but something is not routing properly. Where can I look? There's *nothing* in any entry in any log in /var/log at all, especially shorewall.log: it's 0 bytes. A little more info about the setup: I have a Windows notebook (the IPsec client) with a crossover cable into the external interface of the Leaf firewall. The notebook's IP is 68.208.33.29(/29). Leaf's external IP is 68.208.33.25. Leaf's Internal IP is 10.154.19.254(/22). The internal interface is connected by crossover cable to a test Windows client running a web server. It's IP is 10.154.16.1. To sum up: the logs on both the client and the server say that the tunnel is 100% up. I can make changes to the tunnel (SHA1 instead of MD5, for example) and they show up in the logs, so it certainly seems to be interoperating properly. However, no traffic actually seems to cross the tunnel. While using SSH Sentinel, the Statistics page says that it is indeed sending packets through the tunnel when I try to browse, but it gets zero in reply. When I try to browse from the client on the Leaf side, it just times out. The LED for the outer interface of the firewall does *not* blink when I do this, like I would expect it to. Thank you very much for any suggestions you might be able to give me. I really appreciate the help you have given me so far (especially Mr. Steinkuehler!). I'm sure I'm most of the way there: the tunnel is up! I have detailed notes describing what I have done and I will be posting a summary when this is solved... As usual, here are my config files: Leaf: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=3 conn OfficeToRemote authby=rsasig left=68.208.33.25 leftsubnet=10.154.16.0/22 leftnexthop=68.208.33.30 leftfirewall=yes leftrsasigkey=%cert leftcert=certs/serverCert.pem right=%any rightrsasigkey=%cert keylife=30m pfs=yes auto=add Windows: conn Office left=%any right=68.208.33.25 rightsubnet=10.154.16.0/255.255.252.0 rightca=Proper cert text network=auto rekey=1800S/3K auto=start pfs=yes Tim Massey --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] VPN Tunnel up but *no* traffic across connection?
Timothy J. Massey wrote: Hello! I have created a certificate-based tunnel between a Leaf firewall and a Windows client using either the Windows 2000 VPN tool (http://vpn.ebootis.de/) or SSH Sentinel. In both cases, the client software establishes the connection, and according to Leaf's auth.log, the tunnel is 100% established. However, no traffic seems to come from the Leaf firewall to the Windows client. There are no entries in shorewall.log, or any other log entry. From the Windows computer, when I ping or browse a computer behind the Leaf side of the VPN, it times out. The external interface of the Leaf box blinks, but the internal one does not. If I ping from a (Windows) client on the Leaf side to the Windows client, I get a response: Response from 10.154.19.254: Port not available (or something like that: I'll try to get it back again). The external interface does not blink. It seems that the tunnel is up, but something is not routing properly. Where can I look? There's *nothing* in any entry in any log in /var/log at all, especially shorewall.log: it's 0 bytes. The problem you describe can be caused if the keying traffic (UDP port 500) is allowed, but the encrypted data (ESP/Protocol 50 or AH/Protocol 51) is being blocked. Make sure you have an entry in /etc/shorewall/tunnels for your IPSec connection, and make sure your ISP isn't dropping the encrypted traffic (smarter ISP's do this to prevent VPN software from working at home unless you pay for SOHO class access). If your ISP is blocking the encrypted traffic, using NAT-traversal (which tunnels the encrypted data across UDP port 500) should solve the problem, but I'd suspect firewall rules first. -- Charles Steinkuehler [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] VPN Tunnel up but *no* traffic across connection?
left=68.208.33.25 leftsubnet=10.154.16.0/22 rightsubnet=10.154.16.0/255.255.252.0 (If I'm reading this correctly..) In left's view, 10.154.16.0/.252 is owned by left. Ipsec routes get a lower route priority than local interface routes. Therefore, traffic won't bother to traverse over IPSec. Try changing the subnet range to something different. If this isn't the case, please post a simplified ascii map. Regards, P --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_idU88alloc_id065op=click leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
SOLVED: [leaf-user] VPN Tunnel up but *no* traffic across connection
Peter Mueller [EMAIL PROTECTED] wrote on 11/12/2004 12:42:27 PM: left=68.208.33.25 leftsubnet=10.154.16.0/22 rightsubnet=10.154.16.0/255.255.252.0 (If I'm reading this correctly..) In left's view, 10.154.16.0/.252 is owned by left. Ipsec routes get a lower route priority than local interface routes. Therefore, traffic won't bother to traverse over IPSec. Try changing the subnet range to something different. The difference between right and left is not a problem: if you want to set up both firewalls so that they interpret themselves as being left or right, or both be different, it does not matter. However, your statement did lead me to the answer. Because the VPN client (a host endpoint) was on the same subnet as the Leaf firewall's external network, Leaf routed the traffic straight to it, instead of as part of the IPSec tunnel. Once I put a router in between the Windows VPN endpoint and the LEAF router, it worked. To repeat: I made exactly zero VPN or IPSec configuration changes. I only moved the Windows VPN endpoint to an IP network different than the Leaf firewall's external network (i.e.: put a simple non-firewall, non-NAT computer with 2 interfaces acting as a router between them). And it now works. Why wouldn't the IPSec tunnels not have a *higher* priority than the interface routes? That doesn't make sense to me. It also was something that I did not think would happen: I have connected subnet-to-subnet firewalls directly together on the same external subnet without problems. Of course, there, the IP address that the Leaf firewall is given is of the *subnet* endpoint and therefore does not conflict with the interface route. However, because I have been doing that for years, I thought nothing of putting my VPN host endopoint in the same place... Tim Massey --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: SOLVED: [leaf-user] VPN Tunnel up but *no* traffic across connection
Timothy J. Massey wrote: Why wouldn't the IPSec tunnels not have a *higher* priority than the interface routes? That doesn't make sense to me. It's pretty nonsensical all right and is one of the reasons that there is a policy-based IPSEC implementation in the 2.6 Linux kernel. The old implementation in FreeS/Wan and its derivatives used routing to trigger encryption -- it was a flawed approach. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key signature.asc Description: OpenPGP digital signature