[leaf-user] VPN Tunnel up but *no* traffic across connection?

[Timothy J. Massey]

Hello!
I have created a certificate-based tunnel between a Leaf firewall and a 
Windows client using either the Windows 2000 VPN tool 
(http://vpn.ebootis.de/) or SSH Sentinel.  In both cases, the client 
software establishes the connection, and according to Leaf's auth.log, 
the tunnel is 100% established.

However, no traffic seems to come from the Leaf firewall to the Windows 
client.  There are no entries in shorewall.log, or any other log entry.  
From the Windows computer, when I ping or browse a computer behind the 
Leaf side of the VPN, it times out.  The external interface of the Leaf 
box blinks, but the internal one does not.  If I ping from a (Windows) 
client on the Leaf side to the Windows client, I get a response:  
Response from 10.154.19.254:  Port not available (or something like 
that:  I'll try to get it back again).  The external interface does not 
blink.

It seems that the tunnel is up, but something is not routing properly.  
Where can I look?  There's *nothing* in any entry in any log in /var/log 
at all, especially shorewall.log: it's 0 bytes.

A little more info about the setup:  I have a Windows notebook (the 
IPsec client) with a crossover cable into the external interface of the 
Leaf firewall.  The notebook's IP is 68.208.33.29(/29).  Leaf's external 
IP is 68.208.33.25.  Leaf's Internal IP is 10.154.19.254(/22).  The 
internal interface is connected by crossover cable to a test Windows 
client running a web server.  It's IP is 10.154.16.1.

To sum up: the logs on both the client and the server say that the 
tunnel is 100% up.  I can make changes to the tunnel (SHA1 instead of 
MD5, for example) and they show up in the logs, so it certainly seems to 
be interoperating properly.  However, no traffic actually seems to cross 
the tunnel.  While using SSH Sentinel, the Statistics page says that it 
is indeed sending packets through the tunnel when I try to browse, but 
it gets zero in reply.  When I try to browse from the client on the Leaf 
side, it just times out.  The LED for the outer interface of the 
firewall does *not* blink when I do this, like I would expect it to.

Thank you very much for any suggestions you might be able to give me.  I 
really appreciate the help you have given me so far (especially Mr. 
Steinkuehler!).  I'm sure I'm most of the way there:  the tunnel is up!  
I have detailed notes describing what I have done and I will be posting 
a summary when this is solved...

As usual, here are my config files:
Leaf:
config setup
   interfaces=%defaultroute
   klipsdebug=none
   plutodebug=none
   plutoload=%search
   plutostart=%search
   uniqueids=yes
conn %default
   keyingtries=3
conn OfficeToRemote
   authby=rsasig
   left=68.208.33.25
   leftsubnet=10.154.16.0/22
   leftnexthop=68.208.33.30
   leftfirewall=yes
   leftrsasigkey=%cert
   leftcert=certs/serverCert.pem
   right=%any
   rightrsasigkey=%cert
   keylife=30m
   pfs=yes
   auto=add
Windows:
conn Office
   left=%any
   right=68.208.33.25
   rightsubnet=10.154.16.0/255.255.252.0
   rightca=Proper cert text
   network=auto
   rekey=1800S/3K
   auto=start
   pfs=yes

Tim Massey

---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] VPN Tunnel up but *no* traffic across connection?

[Charles Steinkuehler]

Timothy J. Massey wrote:
Hello!
I have created a certificate-based tunnel between a Leaf firewall and a 
Windows client using either the Windows 2000 VPN tool 
(http://vpn.ebootis.de/) or SSH Sentinel.  In both cases, the client 
software establishes the connection, and according to Leaf's auth.log, 
the tunnel is 100% established.

However, no traffic seems to come from the Leaf firewall to the Windows 
client.  There are no entries in shorewall.log, or any other log entry.  
From the Windows computer, when I ping or browse a computer behind the 
Leaf side of the VPN, it times out.  The external interface of the Leaf 
box blinks, but the internal one does not.  If I ping from a (Windows) 
client on the Leaf side to the Windows client, I get a response:  
Response from 10.154.19.254:  Port not available (or something like 
that:  I'll try to get it back again).  The external interface does not 
blink.

It seems that the tunnel is up, but something is not routing properly.  
Where can I look?  There's *nothing* in any entry in any log in /var/log 
at all, especially shorewall.log: it's 0 bytes.
The problem you describe can be caused if the keying traffic (UDP port 500) 
is allowed, but the encrypted data (ESP/Protocol 50 or AH/Protocol 51) is 
being blocked.

Make sure you have an entry in /etc/shorewall/tunnels for your IPSec 
connection, and make sure your ISP isn't dropping the encrypted traffic 
(smarter ISP's do this to prevent VPN software from working at home unless 
you pay for SOHO class access).

If your ISP is blocking the encrypted traffic, using NAT-traversal (which 
tunnels the encrypted data across UDP port 500) should solve the problem, 
but I'd suspect firewall rules first.

--
Charles Steinkuehler
[EMAIL PROTECTED]
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] VPN Tunnel up but *no* traffic across connection?

[Peter Mueller]

 left=68.208.33.25
 leftsubnet=10.154.16.0/22

 rightsubnet=10.154.16.0/255.255.252.0

(If I'm reading this correctly..)
In left's view, 10.154.16.0/.252 is owned by left.  Ipsec routes get a lower
route priority than local interface routes.  Therefore, traffic won't bother
to traverse over IPSec.  Try changing the subnet range to something
different.

If this isn't the case, please post a simplified ascii map.

Regards,

P


---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

SOLVED: [leaf-user] VPN Tunnel up but *no* traffic across connection

[Timothy J. Massey]

Peter Mueller [EMAIL PROTECTED] wrote on 11/12/2004 12:42:27 PM:
  left=68.208.33.25
  leftsubnet=10.154.16.0/22

  rightsubnet=10.154.16.0/255.255.252.0

 (If I'm reading this correctly..)
 In left's view, 10.154.16.0/.252 is owned by left.  Ipsec routes get 
a lower
 route priority than local interface routes.  Therefore, traffic won't 
bother
 to traverse over IPSec.  Try changing the subnet range to something
 different.

The difference between right and left is not a problem:  if you want to 
set up both firewalls so that they interpret themselves as being left or 
right, or both be different, it does not matter.

However, your statement did lead me to the answer.  Because the VPN 
client (a host endpoint) was on the same subnet as the Leaf firewall's 
external network, Leaf routed the traffic straight to it, instead of as 
part of the IPSec tunnel.  Once I put a router in between the Windows 
VPN endpoint and the LEAF router, it worked.

To repeat:  I made exactly zero VPN or IPSec configuration changes.  I 
only moved the Windows VPN endpoint to an IP network different than the 
Leaf firewall's external network (i.e.: put a simple non-firewall, 
non-NAT computer with 2 interfaces acting as a router between them).  
And it now works.

Why wouldn't the IPSec tunnels not have a *higher* priority than the 
interface routes?  That doesn't make sense to me.  It also was something 
that I did not think would happen:  I have connected subnet-to-subnet 
firewalls directly together on the same external subnet without 
problems.  Of course, there, the IP address that the Leaf firewall is 
given is of the *subnet* endpoint and therefore does not conflict with 
the interface route.  However, because I have been doing that for years, 
I thought nothing of putting my VPN host endopoint in the same place...

Tim Massey

---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: SOLVED: [leaf-user] VPN Tunnel up but *no* traffic across connection

[Tom Eastep]

Timothy J. Massey wrote:
Why wouldn't the IPSec tunnels not have a *higher* priority than the 
interface routes?  That doesn't make sense to me.
It's pretty nonsensical all right and is one of the reasons that there 
is a policy-based IPSEC implementation in the 2.6 Linux kernel. The old 
implementation in FreeS/Wan and its derivatives used routing to trigger 
encryption -- it was a flawed approach.

-Tom
--
Tom Eastep\ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


signature.asc
Description: OpenPGP digital signature