Dear list,
I'm running Shorewall on a dedicated Fedora 7 box. Shorewall is working
well as an office DSL router (dynamic IP) with loc and dmz zones. I am now
trying to configure IPSec to connect a VPS, "casp", with a static IP to both
the firewall and to the loc network behind it. The host to host SA works
fine. However, pings from "loc" to "casp" can be seen coming in the loc
zone's interface (tcpdump), but from there seem to just disappear: no log
messages about the packets being rejected, and no attempt to negotiate the
SA. I'm not an expert on Shorewall or IPSec, and am not sure where to look
for the problem. Below is my setup, with IP addresses disguised to protect
the innocent.
Thanks in advance for any help! Pointers on debugging interfaces besides
tcpdump, the Shorewall logs and setkey are highly appreciated.
/etc/shorewall/hosts:
> #ZONE HOST(S) OPTIONS
> casp ppp0:1.2.3.4 ipsec
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
/etc/shorewall/interfaces:
> #ZONE INTERFACE BROADCAST OPTIONS
> net ppp0 detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
> loc eth0 detect tcpflags,nosmurfs,dhcp
> dmz eth1 detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq:
> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
> ppp0 eth0 # local
> ppp0 eth1 # dmz
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/policy:
> #SOURCE DEST POLICY LOG
LIMIT:BURST
> # LEVEL
> # VPN: FW + loc to casp
> #
> loc casp ACCEPT info
> casp loc ACCEPT info
> $FW casp ACCEPT info
> casp $FW ACCEPT info
> #
> # Policies for traffic originating from the local LAN (loc)
> #
> loc net ACCEPT
> loc dmz ACCEPT
> loc $FW REJECT info
> loc all REJECT info
/etc/shorewall/hosts:
> #ZONE HOST(S) OPTIONS
> casp ppp0:1.2.3.4 ipsec
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
/etc/shorewall/interfaces:
> #ZONE INTERFACE BROADCAST OPTIONS
> net ppp0 detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
> loc eth0 detect tcpflags,nosmurfs,dhcp
> dmz eth1 detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq:
> #INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
> ppp0 eth0 # local
> ppp0 eth1 # dmz
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/policy:
> #SOURCE DEST POLICY LOG
LIMIT:BURST
> # LEVEL
> # VPN: FW + loc to casp
> #
> loc casp ACCEPT info
> casp loc ACCEPT info
> $FW casp ACCEPT info
> casp $FW ACCEPT info
> #
> # Policies for traffic originating from the local LAN (loc)
> #
> loc net ACCEPT
> loc dmz ACCEPT
> loc $FW REJECT info
> loc all REJECT info
> #
> # Policies for traffic originating from the firewall ($FW)
> #
> $FW net ACCEPT
> $FW dmz REJECT info
> $FW loc REJECT info
> $FW all REJECT info
> #
> # Policies for traffic originating from the De-Militarized Zone (dmz)
> #
> dmz net ACCEPT info
> dmz $FW REJECT info
> dmz loc REJECT info
> dmz all REJECT info
> #
> # Policies for traffic originating from the Internet zone (net)
> #
> net dmz DROP info
> net $FW DROP info
> net loc DROP info
> net all DROP info
>
> # THE FOLLOWING POLICY MUST BE LAST
> all all REJECT info
>
> #LAST LINE -- DO NOT REMOVE
/etc/shorewall/rules:
> #ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
> # PORT
PORT(S) DEST LIMIT GROUP
> #SECTION ESTABLISHED
> #SECTION RELATED
> SECTION NEW
>
> #
> # Accept ipsec to/from the firewall
> #
> ACCEPT $FW any 50
> ACCEPT any $FW 50
> ACCEPT $FW any udp 500
> ACCEPT any $FW udp 500
> #
> # Forward specific connections from the firewall to local machines
> #
> DNAT net loc:192.168.3.14 tcp 25
> DNAT net loc:192.168.3.15 udp 4569
> #
> # Accept DNS connections from the firewall to the Internet
> #
> DNS/ACCEPT $FW net
> DNS/ACCEPT $FW loc
> DNS/ACCEPT $FW casp
> #
> #
> # Accept SSH connections from the local network to the firewall and
DMZ
> #
> SSH/ACCEPT loc $FW
> SSH/ACCEPT loc dmz
> SSH/ACCEPT net $FW
> SSH/ACCEPT $FW casp
> SSH/ACCEPT $FW loc
> #
> # DMZ DNS access to the Internet
> #
> DNS/ACCEPT dmz net
>
> # Reject Ping from the "bad" net zone.
>
> Ping/REJECT net $FW
> #
> # Make ping work bi-directionally between the dmz, net, Firewall and
local zone
> # (assumes that the loc-> net policy is ACCEPT).
> #
> Ping/ACCEPT loc $FW
> Ping/ACCEPT dmz $FW
> Ping/ACCEPT loc dmz
> Ping/ACCEPT dmz loc
> Ping/ACCEPT dmz net
> Ping/ACCEPT loc casp
> Ping/ACCEPT casp loc
>
> ACCEPT $FW net icmp
> ACCEPT $FW loc icmp
> ACCEPT $FW dmz icmp
> ACCEPT $FW casp icmp
>
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/tunnels:
> #TYPE ZONE GATEWAY GATEWAY
> # ZONE
> ipsec net 1.2.3.4 casp
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> casp ipsec
> fw firewall
> net ipv4
> loc ipv4
> dmz ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/racoon/racoon.conf (dynamically generated):
path certificate "/etc/racoon/certs";
>
> listen
> {
> isakmp 5.6.7.8;
> }
>
> remote 1.2.3.4
> {
> exchange_mode main;
> certificate_type x509 "sandy.pem" "sandy_key.pem";
> verify_cert on;
> my_identifier asn1dn ;
> peers_identifier asn1dn ;
> verify_identifier on ;
> lifetime time 24 hour ;
> proposal {
> encryption_algorithm blowfish;
> hash_algorithm sha1;
> authentication_method rsasig ;
> dh_group 2 ;
> }
> }
>
> sainfo address 192.168.3.0/24 any address 1.2.3.4/32 any
> {
> pfs_group 2;
> lifetime time 12 hour ;
> encryption_algorithm blowfish ;
> authentication_algorithm hmac_sha1, hmac_md5 ;
> compression_algorithm deflate ;
> }
>
> sainfo address 5.6.7.8/32 any address 1.2.3.4/32 any
> {
> pfs_group 2;
> lifetime time 12 hour ;
> encryption_algorithm blowfish ;
> authentication_algorithm hmac_sha1, hmac_md5 ;
> compression_algorithm deflate ;
> }
/etc/racoon/setkey.conf (dynamically generated):
> flush;
> spdflush;
> spdadd 5.6.7.8/32 1.2.3.4/32 any -P out ipsec esp/tunnel/5.6.7.8-
1.2.3.4/require;
> spdadd 1.2.3.4/32 5.6.7.8/32 any -P in ipsec esp/tunnel/1.2.3.4-
5.6.7.8/require;
> spdadd 1.2.3.4/32 192.168.3.0/24 any -P out ipsec esp/tunnel/1.2.3.4-
5.6.7.8/require;
> spdadd 192.168.3.0/24 1.2.3.4/32 any -P in ipsec esp/tunnel/5.6.7.8-
1.2.3.4/require;
Output of setkey commands:
> # setkey -D
> 5.6.7.8 1.2.3.4
> esp mode=tunnel spi=44968740(0x02ae2b24) reqid=0(0x00000000)
> E: blowfish-cbc bbe97c73 9f8e2a29 d707c1b5 385b91a2
> A: hmac-sha1 370d0ac2 c507d432 1a5b48b5 ceb7d2d9 c42a7718
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Sep 3 17:12:02 2007 current: Sep 3 19:31:38 2007
> diff: 8376(s) hard: 43200(s) soft: 34560(s)
> last: Sep 3 17:12:02 2007 hard: 0(s) soft: 0(s)
> current: 2096(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 17 hard: 0 soft: 0
> sadb_seq=1 pid=4820 refcnt=0
> 1.2.3.4 5.6.7.8
> esp mode=tunnel spi=116316636(0x06eed9dc) reqid=0(0x00000000)
> E: blowfish-cbc 4a0d645b bd27c956 8ff054fd f530c6ff
> A: hmac-sha1 4e188a7e e5a78e6b 4330bf40 63d26fad 67127967
> seq=0x00000000 replay=4 flags=0x00000000 state=mature
> created: Sep 3 17:12:02 2007 current: Sep 3 19:31:38 2007
> diff: 8376(s) hard: 43200(s) soft: 34560(s)
> last: Sep 3 17:12:03 2007 hard: 0(s) soft: 0(s)
> current: 1244(bytes) hard: 0(bytes) soft: 0(bytes)
> allocated: 15 hard: 0 soft: 0
> sadb_seq=0 pid=4820 refcnt=0
>
> # setkey -DP
> 192.168.3.0/24[any] 1.2.3.4[any] any
> in prio def ipsec
> esp/tunnel/5.6.7.8-1.2.3.4/require
> created: Sep 3 17:11:49 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2184 seq=1 pid=4821
> refcnt=1
> 1.2.3.4[any] 5.6.7.8[any] any
> in prio def ipsec
> esp/tunnel/1.2.3.4-5.6.7.8/require
> created: Sep 3 17:11:49 2007 lastused: Sep 3 17:55:24 2007
> lifetime: 0(s) validtime: 0(s)
> spid=2160 seq=2 pid=4821
> refcnt=1
> 1.2.3.4[any] 192.168.3.0/24[any] any
> out prio def ipsec
> esp/tunnel/1.2.3.4-5.6.7.8/require
> created: Sep 3 17:11:49 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2177 seq=3 pid=4821
> refcnt=1
> 5.6.7.8[any] 1.2.3.4[any] any
> out prio def ipsec
> esp/tunnel/5.6.7.8-1.2.3.4/require
> created: Sep 3 17:11:49 2007 lastused: Sep 3 17:55:24 2007
> lifetime: 0(s) validtime: 0(s)
> spid=2153 seq=4 pid=4821
> refcnt=1
> 192.168.3.0/24[any] 1.2.3.4[any] any
> fwd prio def ipsec
> esp/tunnel/5.6.7.8-1.2.3.4/require
> created: Sep 3 17:11:49 2007 lastused: Sep 3 19:31:56 2007
> lifetime: 0(s) validtime: 0(s)
> spid=2194 seq=5 pid=4821
> refcnt=2
> 1.2.3.4[any] 5.6.7.8[any] any
> fwd prio def ipsec
> esp/tunnel/1.2.3.4-5.6.7.8/require
> created: Sep 3 17:11:49 2007 lastused:
> lifetime: 0(s) validtime: 0(s)
> spid=2170 seq=6 pid=4821
> refcnt=1
> (per-socket policy)
> in none
> created: Sep 3 17:11:50 2007 lastused: Sep 3 17:12:02 2007
> lifetime: 0(s) validtime: 0(s)
> spid=2203 seq=7 pid=4821
> refcnt=1
> (per-socket policy)
> out none
> created: Sep 3 17:11:50 2007 lastused: Sep 3 17:12:02 2007
> lifetime: 0(s) validtime: 0(s)
> spid=2212 seq=0 pid=4821
> refcnt=1
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
