Ipsec works with it configured as single Isp,
As soon as I confiure providers, parameters and masq.
Then ipsec will work until I restart the box.
With eighter config. The Ipsec tunnel connects
It just seems to be a routing issue I guess. I have many
nights trying to get this working. Any ideas?
Thanks
Mike
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mike Lander wrote:> Ipsec works with it configured as single Isp, > As soon as I confiure providers, parameters and masq. > Then ipsec will work until I restart the box. With eighter config. > The Ipsec tunnel connects > It just seems to be a routing issue I guess. I have many > nights trying to get this working. Any ideas?Mike, We''ll need to see the output of "shorewall dump" captured when IPSEC is not working. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Wrote Mike, We''ll need to see the output of "shorewall dump" captured when IPSEC is not working. -Tom The first post was with Ipsec Broken. IE pings are timed out. One interesting note is if I restart networking on this box Shorewall will block the pings to 172.30.0.15 in the forward chain. I could send a post of that I dont know if it would help. But restarting networking clears all shorewalls routing. Restarting shorewall, after a networking restart then Ipsec pings to the other side seem to be silently dropped by the Kernel. BTW on all these dumps host 10.194.79.5 (my xp box) is pinging 172.30.0.15 other host in tunnel 65.203.186.182 with ping -t 172.30.0.15 and are timing out. Thanks Mike ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
----- Original Message ----- From: "Mike Lander" <landers@lanlinecomputers.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Wednesday, November 08, 2006 11:48 AM Subject: Re: [Shorewall-users] Mulit-Isp with Ipsec> Tom Wrote > Mike, > > We''ll need to see the output of "shorewall dump" captured when IPSEC is > not > working. > > -Tom > > The first post was with Ipsec Broken. IE pings are timed out. > One interesting note is if I restart networking on this box > Shorewall will block the pings to 172.30.0.15 in the forward chain. > I could send a post of that I dont know if it would help. > But restarting networking clears all shorewalls routing. > Restarting shorewall, after a networking restart then > Ipsec pings to the other side seem to be silently dropped > by the Kernel. BTW on all these dumps host 10.194.79.5 > (my xp box) is pinging 172.30.0.15 > other host in tunnel 65.203.186.182 > with ping -t 172.30.0.15 and are timing > out. > > Thanks > MikeI might add that out of desperation of many nights. I just added this last night thinking since there is no ipsec0 that all the traffic is going through eth0 for Ipsec. I added this to tc rules 512:P eth0 0.0.0.0/0 ESP 2:F eth0 0.0.0.0/0 ESP 2 $FW 0.0.0.0/0 ALL and this to shorewall start iptables -I all2all -i eth0 -d 0.0.0.0/0 -m mark --mark 2 -j ACCEPT iptables -I all2all -o eth0 -d 0.0.0.0/0 -m mark --mark 2 -j ACCEPT I forgot to change one back to 512 since you cant mark prerouting here with High Marks on, last night I had tryed turning off High marks and using 2 for eth0 Mike ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I just noticed this in the last dump in the conntrack table unknown 50 599 src=66.224.62.118 dst=65.203.186.182 packets=6613 bytes=740656 [UNREPLIED] src=65.203.186.182 dst=67.183.187.44 packets=0 bytes=0 mark=0 secmark=0 use=1 I am not sure what this means, but it looks like pings are going out eth0 66.224.62.182 coming back into eth1 67.183.187.44 ?? Mike ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mike Lander wrote:> I just noticed this in the last dump in the conntrack table > unknown 50 599 src=66.224.62.118 dst=65.203.186.182 packets=6613 > bytes=740656 > [UNREPLIED] src=65.203.186.182 dst=67.183.187.44 packets=0 bytes=0 mark=0 > secmark=0 use=1 > > I am not sure what this means, but it looks like > pings are going out eth0 66.224.62.182 coming back into eth1 67.183.187.44Which address is specified as the local end of the IPSEC tunnel-mode SP? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Mike Lander wrote: >> I just noticed this in the last dump in the conntrack table >> unknown 50 599 src=66.224.62.118 dst=65.203.186.182 packets=6613 >> bytes=740656 >> [UNREPLIED] src=65.203.186.182 dst=67.183.187.44 packets=0 bytes=0 mark=0 >> secmark=0 use=1 >> >> I am not sure what this means, but it looks like >> pings are going out eth0 66.224.62.182 coming back into eth1 67.183.187.44 > > Which address is specified as the local end of the IPSEC tunnel-mode SP?Asked another way, can you show us your ipsec configuration? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Which address is specified as the local end of the IPSEC tunnel-mode SP?
-Tom
conn arkonaIPsec
type = tunnel
left =66.224.62.118
leftnexthop= 66.224.62.97
right = 65.203.186.182
leftsubnet = 10.194.79.0/255.255.255.0
rightsubnet = 172.30.0.0/255.255.255.0
auto = start
keyexchange = ike
authby = secret
auth = esp
keyingtries = 0
pfs = yes
esp = 3DES-MD5
ike = 3DES-MD5-MODP1024
ikelifetime = 60m
rekeyfuzz = 100%
rekeymargin = 10m
[root@c-67-183-187-44 ~]# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 66.224.62.118
000 interface eth1/eth1 67.183.187.44
000 interface eth3/eth3 10.194.79.1
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36}
trans={0,3,336} attrs={0,3,224}
000
000 "arkonaIPsec":
10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24;
erouted; eroute owner: #5
000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown;
dstup=ipsec _updown;
000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s;
rekey_margin:
600s; rekey_fuzz: 100%; keyingtries: 0
000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24;
interface: eth0;
000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5;
000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict
000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2,
000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict
000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict
000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5;
pfsgroup=<Phase1>
000
000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established);
EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner
000 #5: "arkonaIPsec" esp.5abd6085@65.203.186.182
esp.38afd8@66.224.62.118
tun.0@65.203.186.182 tun.0@66.224.62.118
000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0)
000
[root@c-67-183-187-44 ~]#
This is tunnedl status as we speak
Thanks
Mike
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mike Lander wrote:> Which address is specified as the local end of the IPSEC tunnel-mode SP? > > -Tom > > conn arkonaIPsec > type = tunnel > left =66.224.62.118 > leftnexthop= 66.224.62.97 > right = 65.203.186.182 > leftsubnet = 10.194.79.0/255.255.255.0 > rightsubnet = 172.30.0.0/255.255.255.0 > auto = start > keyexchange = ike > authby = secret > auth = esp > keyingtries = 0 > pfs = yes > esp = 3DES-MD5 > ike = 3DES-MD5-MODP1024 > ikelifetime = 60m > rekeyfuzz = 100% > rekeymargin = 10m > > [root@c-67-183-187-44 ~]# ipsec auto status > ipsec auto: warning: obsolete command syntax used > 000 interface lo/lo ::1 > 000 interface lo/lo 127.0.0.1 > 000 interface eth0/eth0 66.224.62.118 > 000 interface eth1/eth1 67.183.187.44 > 000 interface eth3/eth3 10.194.79.1 > 000 %myid = (none) > 000 debug none > 000 > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, > keysizemax=64 > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, > keysizemax=192 > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, > keysizemax=448 > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, > keysizemax=0 > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, > keysizemax=256 > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, > keysizemin=128, keysizemax=256 > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, > keysizemin=128, keysizemax=256 > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, > keysizemin=128, keysizemax=128 > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, > keysizemin=160, keysizemax=160 > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, > keysizemin=256, keysizemax=256 > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 > 000 > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, > keydeflen=192 > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, > keydeflen=128 > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 > 000 > 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} > trans={0,3,336} attrs={0,3,224} > 000 > 000 "arkonaIPsec": > 10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24; > erouted; eroute owner: #5 > 000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown; > dstup=ipsec _updown; > 000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: > 600s; rekey_fuzz: 100%; keyingtries: 0 > 000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; > interface: eth0; > 000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5; > 000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict > 000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2, > 000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 > 000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict > 000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict > 000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5; > pfsgroup=<Phase1> > 000 > 000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established); > EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner > 000 #5: "arkonaIPsec" esp.5abd6085@65.203.186.182 esp.38afd8@66.224.62.118 > tun.0@65.203.186.182 tun.0@66.224.62.118 > 000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established); > EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0) > 000 > [root@c-67-183-187-44 ~]# > > > This is tunnedl status as we speakOk. You have some cruft in your current configuration. a) The old routing rules when you has HIGH_ROUTE_MARKS=Yes are still there. b) There''s the following route: 172.30.0.0/24 via 66.224.62.97 dev eth0 If you are going to have that route defined, you should add "src 10.194.79.1" to it. That way traffic from the firewall to the remote network will go through the tunnel. c) There is this routing rule -- what is it for? 1000: from all to 172.30.0.0/24 lookup main I''d like to see the output of "ip route ls cache" when this is failing. You can send it to me directly as it won''t be of much interest to anyone else. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Mike Lander wrote: >> Which address is specified as the local end of the IPSEC tunnel-mode SP? >> >> -Tom >> >> conn arkonaIPsec >> type = tunnel >> left =66.224.62.118 >> leftnexthop= 66.224.62.97 >> right = 65.203.186.182 >> leftsubnet = 10.194.79.0/255.255.255.0 >> rightsubnet = 172.30.0.0/255.255.255.0 >> auto = start >> keyexchange = ike >> authby = secret >> auth = esp >> keyingtries = 0 >> pfs = yes >> esp = 3DES-MD5 >> ike = 3DES-MD5-MODP1024 >> ikelifetime = 60m >> rekeyfuzz = 100% >> rekeymargin = 10m >> >> [root@c-67-183-187-44 ~]# ipsec auto status >> ipsec auto: warning: obsolete command syntax used >> 000 interface lo/lo ::1 >> 000 interface lo/lo 127.0.0.1 >> 000 interface eth0/eth0 66.224.62.118 >> 000 interface eth1/eth1 67.183.187.44 >> 000 interface eth3/eth3 10.194.79.1 >> 000 %myid = (none) >> 000 debug none >> 000 >> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, >> keysizemax=64 >> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, >> keysizemax=192 >> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, >> keysizemax=448 >> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, >> keysizemax=0 >> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, >> keysizemax=256 >> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, >> keysizemin=128, keysizemax=256 >> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, >> keysizemin=128, keysizemax=128 >> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, >> keysizemin=160, keysizemax=160 >> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, >> keysizemin=256, keysizemax=256 >> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 >> 000 >> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, >> keydeflen=192 >> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, >> keydeflen=128 >> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 >> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 >> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 >> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 >> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 >> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 >> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 >> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 >> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 >> 000 >> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} >> trans={0,3,336} attrs={0,3,224} >> 000 >> 000 "arkonaIPsec": >> 10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24; >> erouted; eroute owner: #5 >> 000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown; >> dstup=ipsec _updown; >> 000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: >> 600s; rekey_fuzz: 100%; keyingtries: 0 >> 000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; >> interface: eth0; >> 000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5; >> 000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict >> 000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2, >> 000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 >> 000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict >> 000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict >> 000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5; >> pfsgroup=<Phase1> >> 000 >> 000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established); >> EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner >> 000 #5: "arkonaIPsec" esp.5abd6085@65.203.186.182 esp.38afd8@66.224.62.118 >> tun.0@65.203.186.182 tun.0@66.224.62.118 >> 000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established); >> EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0) >> 000 >> [root@c-67-183-187-44 ~]# >> >> >> This is tunnedl status as we speak > > Ok. > > You have some cruft in your current configuration. > > a) The old routing rules when you has HIGH_ROUTE_MARKS=Yes are still there. >Never mind -- I see that you have HIGH_ROUTE_MARKS=Yes but are using other mark values to select the provider. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Tom Eastep wrote: >> Mike Lander wrote: >>> Which address is specified as the local end of the IPSEC tunnel-mode SP? >>> >>> -Tom >>> >>> conn arkonaIPsec >>> type = tunnel >>> left =66.224.62.118 >>> leftnexthop= 66.224.62.97 >>> right = 65.203.186.182 >>> leftsubnet = 10.194.79.0/255.255.255.0 >>> rightsubnet = 172.30.0.0/255.255.255.0 >>> auto = start >>> keyexchange = ike >>> authby = secret >>> auth = esp >>> keyingtries = 0 >>> pfs = yes >>> esp = 3DES-MD5 >>> ike = 3DES-MD5-MODP1024 >>> ikelifetime = 60m >>> rekeyfuzz = 100% >>> rekeymargin = 10m >>> >>> [root@c-67-183-187-44 ~]# ipsec auto status >>> ipsec auto: warning: obsolete command syntax used >>> 000 interface lo/lo ::1 >>> 000 interface lo/lo 127.0.0.1 >>> 000 interface eth0/eth0 66.224.62.118 >>> 000 interface eth1/eth1 67.183.187.44 >>> 000 interface eth3/eth3 10.194.79.1 >>> 000 %myid = (none) >>> 000 debug none >>> 000 >>> 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, >>> keysizemax=64 >>> 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, >>> keysizemax=192 >>> 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, >>> keysizemax=448 >>> 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, >>> keysizemax=0 >>> 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, >>> keysizemax=256 >>> 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, >>> keysizemin=128, keysizemax=256 >>> 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, >>> keysizemin=128, keysizemax=256 >>> 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, >>> keysizemin=128, keysizemax=128 >>> 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, >>> keysizemin=160, keysizemax=160 >>> 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, >>> keysizemin=256, keysizemax=256 >>> 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0 >>> 000 >>> 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, >>> keydeflen=192 >>> 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, >>> keydeflen=128 >>> 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 >>> 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 >>> 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 >>> 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 >>> 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 >>> 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 >>> 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 >>> 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 >>> 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 >>> 000 >>> 000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,3,36} >>> trans={0,3,336} attrs={0,3,224} >>> 000 >>> 000 "arkonaIPsec": >>> 10.194.79.0/24===66.224.62.118---66.224.62.97...65.203.186.182===172.30.0.0/24; >>> erouted; eroute owner: #5 >>> 000 "arkonaIPsec": srcip=unset; dstip=unset; srcup=ipsec _updown; >>> dstup=ipsec _updown; >>> 000 "arkonaIPsec": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: >>> 600s; rekey_fuzz: 100%; keyingtries: 0 >>> 000 "arkonaIPsec": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; >>> interface: eth0; >>> 000 "arkonaIPsec": newest ISAKMP SA: #4; newest IPsec SA: #5; >>> 000 "arkonaIPsec": IKE algorithms wanted: 5_000-1-2, flags=strict >>> 000 "arkonaIPsec": IKE algorithms found: 5_192-1_128-2, >>> 000 "arkonaIPsec": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024 >>> 000 "arkonaIPsec": ESP algorithms wanted: 3_000-1, flags=strict >>> 000 "arkonaIPsec": ESP algorithms loaded: 3_000-1, flags=strict >>> 000 "arkonaIPsec": ESP algorithm newest: 3DES_0-HMAC_MD5; >>> pfsgroup=<Phase1> >>> 000 >>> 000 #5: "arkonaIPsec":500 STATE_QUICK_R2 (IPsec SA established); >>> EVENT_SA_REPLACE in 1861s; newest IPSEC; eroute owner >>> 000 #5: "arkonaIPsec" esp.5abd6085@65.203.186.182 esp.38afd8@66.224.62.118 >>> tun.0@65.203.186.182 tun.0@66.224.62.118 >>> 000 #4: "arkonaIPsec":500 STATE_MAIN_I4 (ISAKMP SA established); >>> EVENT_SA_REPLACE in 1110s; newest ISAKMP; lastdpd=58s(seq in:0 out:0) >>> 000 >>> [root@c-67-183-187-44 ~]# >>> >>> >>> This is tunnedl status as we speak >> Ok. >> >> You have some cruft in your current configuration. >> >> a) The old routing rules when you has HIGH_ROUTE_MARKS=Yes are still there. >> > > Never mind -- I see that you have HIGH_ROUTE_MARKS=Yes but are using other mark > values to select the provider. >But this tcrule is silly; you are never going to forward ESP packets are you? Chain tcfor (1 references) pkts bytes target prot opt in out source destination 0 0 MARK esp -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK set 0x2 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
c) There is this routing rule -- what is it for? 1000: from all to 172.30.0.0/24 lookup main Another shot in the dark to get this to work, I took this from shorewall docs that allows openvpn to work through multi Isp. I took this out of route rules. Thanks Mike - 172.30.0.0/24 main 1000 ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
But this tcrule is silly; you are never going to forward ESP packets are
you?
Chain tcfor (1 references)
pkts bytes target prot opt in out source
destination
0 0 MARK esp -- eth0 * 0.0.0.0/0
0.0.0.0/0
MARK set 0x2
-Tom
I took some rules from openswan list this guy was using one Isp
He was asked the same question. I am removing ah and esp rules now.
Thanks
Mike
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mike Lander wrote:> But this tcrule is silly; you are never going to forward ESP packets are > you? > > Chain tcfor (1 references) > pkts bytes target prot opt in out source > destination > > 0 0 MARK esp -- eth0 * 0.0.0.0/0 > 0.0.0.0/0 > MARK set 0x2 > > -Tom > > > I took some rules from openswan list this guy was using one Isp > He was asked the same question. I am removing ah and esp rules now. >Mike -- this SNAT rule (from /etc/shorewall/masq) cannot be good. Chain eth0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 66.224.62.118 0.0.0.0/0 policy match dir out pol none to:67.183.187.44 It looks like you have: eth0 66.224.62.118 67.183.187.44 The addresses are in the wrong columns!!! That is why you are getting that bizarre connection tracking entry. The proper entries are: eth1 66.224.62.118 67.183.187.44 eth0 67.183.187.44 66.224.62.118 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
I changed this in /etc/masq eth0 66.224.62.118 $ETH1_IP eth3 $ETH1_IP 66.224.62.118 eth0 eth3 66.224.62.118 eth1 eth3 $ETH1_IP eth0 66.224.62.118 $ETH1_IP eth1 $ETH1_IP 66.224.62.118 eth0 eth3 66.224.62.118 eth1 eth3 $ETH1_IP So used to eth1 being local sorry Here is a cleaner dump I have removed all of my crazy entries to try and get this to work. And rebooted this box. This config is pretty much the config I use when I remove the comcast Isp from this mix and then Ipsec works. This config is with both Isp''s and the ping going. Thanks Mike ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom So sorry I did not pay attention to this. I had two mistakes in here (1) is the one you pointed out reversed columns (2) the other was the one I found with the varible wrong IT WORKS!!!!!!!!!!!. Thanks Mike ----- Original Message ----- From: "Mike Lander" <landers@lanlinecomputers.com> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Wednesday, November 08, 2006 1:52 PM Subject: Re: [Shorewall-users] Mulit-Isp with Ipsec>I changed this in /etc/masq > > eth0 66.224.62.118 $ETH1_IP > eth3 $ETH1_IP 66.224.62.118 > eth0 eth3 66.224.62.118 > eth1 eth3 $ETH1_IP > > > eth0 66.224.62.118 $ETH1_IP > eth1 $ETH1_IP 66.224.62.118 > eth0 eth3 66.224.62.118 > eth1 eth3 $ETH1_IP > > So used to eth1 being local sorry > Here is a cleaner dump I have removed all of my > crazy entries to try and get this to work. And rebooted > this box. > This config is pretty much the config I use when > I remove the comcast Isp from this mix and then > Ipsec works. This config is with both Isp''s > and the ping going. > Thanks > Mike--------------------------------------------------------------------------------> ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Mike Lander wrote:> > IT WORKS!!!!!!!!!!!. >Great! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642