Dear list,
I'm running Shorewall on a dedicated Fedora 7 box. Shorewall is
working well as an office DSL router (dynamic IP) with loc and dmz
zones. I am now trying to configure IPSec to connect a VPS, "casp",
with a static IP to both the firewall and to the loc network behind
it. The host to host SA works fine. However, pings from "loc" to
"casp" can be seen coming in the loc zone's interface (tcpdump), but
from there seem to just disappear: no log messages about the packets
being rejected, and no attempt to negotiate the SA. I'm not an expert
on Shorewall or IPSec, and am not sure where to look for the problem.
Below is my setup, with IP addresses disguised to protect the innocent.
Thanks in advance for any help! Pointers on debugging interfaces
besides tcpdump, the Shorewall logs and setkey are highly appreciated.
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
casp ppp0:*MailScanner warning: numerical links are often
malicious:* 1.2.3.4 <http://1.2.3.4> ipsec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth0 detect tcpflags,nosmurfs,dhcp
dmz eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
ppp0 eth0 # local
ppp0 eth1 # dmz
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
# VPN: FW + loc to casp
#
loc casp ACCEPT info
casp loc ACCEPT info
$FW casp ACCEPT info
casp $FW ACCEPT info
#
# Policies for traffic originating from the local LAN (loc)
#
loc net ACCEPT
loc dmz ACCEPT
loc $FW REJECT info
loc all REJECT info
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
casp ppp0:*MailScanner warning: numerical links are often
malicious:* 1.2.3.4 <http://1.2.3.4> ipsec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
loc eth0 detect tcpflags,nosmurfs,dhcp
dmz eth1 detect
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/masq:
#INTERFACE SOURCE ADDRESS PROTO PORT(S)
IPSEC MARK
ppp0 eth0 # local
ppp0 eth1 # dmz
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG
LIMIT:BURST
# LEVEL
# VPN: FW + loc to casp
#
loc casp ACCEPT info
casp loc ACCEPT info
$FW casp ACCEPT info
casp $FW ACCEPT info
#
# Policies for traffic originating from the local LAN (loc)
#
loc net ACCEPT
loc dmz ACCEPT
loc $FW REJECT info
loc all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
#
$FW net ACCEPT
$FW dmz REJECT info
$FW loc REJECT info
$FW all REJECT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
#
dmz net ACCEPT info
dmz $FW REJECT info
dmz loc REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
#
net dmz DROP info
net $FW DROP info
net loc DROP info
net all DROP info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- DO NOT REMOVE
/etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/ MARK
# PORT
PORT(S) DEST LIMIT GROUP
#SECTION ESTABLISHED
#SECTION RELATED
SECTION NEW
#
# Accept ipsec to/from the firewall
#
ACCEPT $FW any 50
ACCEPT any $FW 50
ACCEPT $FW any udp 500
ACCEPT any $FW udp 500
#
# Forward specific connections from the firewall to local machines
#
DNAT net loc:*MailScanner warning: numerical links are
often malicious:* 192.168.3.14 <http://192.168.3.14> tcp 25
DNAT net loc:*MailScanner warning: numerical links are
often malicious:* 192.168.3.15 <http://192.168.3.15> udp 4569
#
# Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT $FW net
DNS/ACCEPT $FW loc
DNS/ACCEPT $FW casp
#
#
# Accept SSH connections from the local network to the firewall
and DMZ
#
SSH/ACCEPT loc $FW
SSH/ACCEPT loc dmz
SSH/ACCEPT net $FW
SSH/ACCEPT $FW casp
SSH/ACCEPT $FW loc
#
# DMZ DNS access to the Internet
#
DNS/ACCEPT dmz net
# Reject Ping from the "bad" net zone.
Ping/REJECT net $FW
#
# Make ping work bi-directionally between the dmz, net,
Firewall and local zone
# (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT loc $FW
Ping/ACCEPT dmz $FW
Ping/ACCEPT loc dmz
Ping/ACCEPT dmz loc
Ping/ACCEPT dmz net
Ping/ACCEPT loc casp
Ping/ACCEPT casp loc
ACCEPT $FW net icmp
ACCEPT $FW loc icmp
ACCEPT $FW dmz icmp
ACCEPT $FW casp icmp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/tunnels:
#TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec net *MailScanner warning: numerical links
are often malicious:* 1.2.3.4 <http://1.2.3.4> casp
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
casp ipsec
fw firewall
net ipv4
loc ipv4
dmz ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/racoon/racoon.conf (dynamically generated):
path certificate "/etc/racoon/certs";
listen
{
isakmp *MailScanner warning: numerical links are often
malicious:* 5.6.7.8 <http://5.6.7.8>;
}
remote *MailScanner warning: numerical links are often malicious:*
1.2.3.4 <http://1.2.3.4>
{
exchange_mode main;
certificate_type x509 "sandy.pem" "sandy_key.pem";
verify_cert on;
my_identifier asn1dn ;
peers_identifier asn1dn ;
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm blowfish;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
}
}
sainfo address *MailScanner warning: numerical links are often
malicious:* 192.168.3.0/24 <http://192.168.3.0/24> any address
*MailScanner warning: numerical links are often malicious:* 1.2.3.4/32
<http://1.2.3.4/32> any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
sainfo address *MailScanner warning: numerical links are often
malicious:* 5.6.7.8/32 <http://5.6.7.8/32> any address *MailScanner
warning: numerical links are often malicious:* 1.2.3.4/32
<http://1.2.3.4/32> any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
/etc/racoon/setkey.conf (dynamically generated):
flush;
spdflush;
spdadd *MailScanner warning: numerical links are often malicious:*
5.6.7.8/32 <http://5.6.7.8/32> *MailScanner warning: numerical links
are often malicious:* 1.2.3.4/32 <http://1.2.3.4/32> any -P out ipsec
esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are often
malicious:* 1.2.3.4/require <http://1.2.3.4/require>;
spdadd *MailScanner warning: numerical links are often malicious:*
1.2.3.4/32 <http://1.2.3.4/32> *MailScanner warning: numerical links
are often malicious:* 5.6.7.8/32 <http://5.6.7.8/32> any -P in ipsec
esp/tunnel/1.2.3.4- *MailScanner warning: numerical links are often
malicious:* 5.6.7.8/require <http://5.6.7.8/require>;
spdadd *MailScanner warning: numerical links are often malicious:*
1.2.3.4/32 <http://1.2.3.4/32> *MailScanner warning: numerical links
are often malicious:* 192.168.3.0/24 <http://192.168.3.0/24> any -P
out ipsec esp/tunnel/1.2.3.4-*MailScanner warning: numerical links
are often malicious:* 5.6.7.8/require <http://5.6.7.8/require>;
spdadd *MailScanner warning: numerical links are often malicious:*
192.168.3.0/24 <http://192.168.3.0/24> *MailScanner warning: numerical
links are often malicious:* 1.2.3.4/32 <http://1.2.3.4/32> any -P in
ipsec esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are
often malicious:* 1.2.3.4/require <http://1.2.3.4/require>;
Output of setkey commands:
# setkey -D
*MailScanner warning: numerical links are often malicious:* 5.6.7.8
<http://5.6.7.8> *MailScanner warning: numerical links are often
malicious:* 1.2.3.4 <http://1.2.3.4>
esp mode=tunnel spi=44968740(0x02ae2b24) reqid=0(0x00000000)
E: blowfish-cbc bbe97c73 9f8e2a29 d707c1b5 385b91a2
A: hmac-sha1 370d0ac2 c507d432 1a5b48b5 ceb7d2d9 c42a7718
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 3 17:12:02 2007 current: Sep 3 19:31:38 2007
diff: 8376(s) hard: 43200(s) soft: 34560(s)
last: Sep 3 17:12:02 2007 hard: 0(s) soft: 0(s)
current: 2096(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 17 hard: 0 soft: 0
sadb_seq=1 pid=4820 refcnt=0
*MailScanner warning: numerical links are often malicious:* 1.2.3.4
<http://1.2.3.4> *MailScanner warning: numerical links are often
malicious:* 5.6.7.8 <http://5.6.7.8>
esp mode=tunnel spi=116316636(0x06eed9dc) reqid=0(0x00000000)
E: blowfish-cbc 4a0d645b bd27c956 8ff054fd f530c6ff
A: hmac-sha1 4e188a7e e5a78e6b 4330bf40 63d26fad 67127967
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Sep 3 17:12:02 2007 current: Sep 3 19:31:38 2007
diff: 8376(s) hard: 43200(s) soft: 34560(s)
last: Sep 3 17:12:03 2007 hard: 0(s) soft: 0(s)
current: 1244(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 15 hard: 0 soft: 0
sadb_seq=0 pid=4820 refcnt=0
# setkey -DP
*MailScanner warning: numerical links are often malicious:*
192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> 1.2.3.4[any] any
in prio def ipsec
esp/tunnel/5.6.7.8- *MailScanner warning: numerical links are
often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
created: Sep 3 17:11:49 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2184 seq=1 pid=4821
refcnt=1
1.2.3.4[any] 5.6.7.8[any] any
in prio def ipsec
esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are
often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
created: Sep 3 17:11:49 2007 lastused: Sep 3 17:55:24 2007
lifetime: 0(s) validtime: 0(s)
spid=2160 seq=2 pid=4821
refcnt=1
1.2.3.4[any] *MailScanner warning: numerical links are often
malicious:* 192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> any
out prio def ipsec
esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are
often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
created: Sep 3 17:11:49 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2177 seq=3 pid=4821
refcnt=1
5.6.7.8[any] 1.2.3.4[any] any
out prio def ipsec
esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are
often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
created: Sep 3 17:11:49 2007 lastused: Sep 3 17:55:24 2007
lifetime: 0(s) validtime: 0(s)
spid=2153 seq=4 pid=4821
refcnt=1
*MailScanner warning: numerical links are often malicious:*
192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> 1.2.3.4[any] any
fwd prio def ipsec
esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are
often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
created: Sep 3 17:11:49 2007 lastused: Sep 3 19:31:56 2007
lifetime: 0(s) validtime: 0(s)
spid=2194 seq=5 pid=4821
refcnt=2
1.2.3.4[any] 5.6.7.8[any] any
fwd prio def ipsec
esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are
often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
created: Sep 3 17:11:49 2007 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2170 seq=6 pid=4821
refcnt=1
(per-socket policy)
in none
created: Sep 3 17:11:50 2007 lastused: Sep 3 17:12:02 2007
lifetime: 0(s) validtime: 0(s)
spid=2203 seq=7 pid=4821
refcnt=1
(per-socket policy)
out none
created: Sep 3 17:11:50 2007 lastused: Sep 3 17:12:02 2007
lifetime: 0(s) validtime: 0(s)
spid=2212 seq=0 pid=4821
refcnt=1
------------------------------------------------------------------------
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
