Shorewall users - Feb 2007 - OpenSWAN behind shorewall -- keep getting ESP protocol denied at firewall

24 is about to start, so I have to get home, but I''m having a terrible
time trying to get my shorewall firewall to allow DNAT of the ESP protocol. 
It''s listed just like every other successful DNAT and I have 50 in the
proto column.

However, on that IP, incoming packets get rejected in all2all.

At one point, this was actually working.  I''m not sure what to think at
this point.

Any good reason why my DNAT rule would just be ignored?
The ones for UDP 500 and 4500 are obviously working, because the secure log on
the VPN server shows the activity -- but then packets coming through in ESP are
getting rejected at the firewall.

# rpm -q shorewall
shorewall-3.2.8-5

# rpm -q kernel
kernel-2.6.18-1.2257.fc5



I tried asking with the swdump, but the email never showed up.

Sorry if this is too vague.  Out of time.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian Neu wrote:
> 
> Any good reason why my DNAT rule would just be ignored?
Have you followed the DNAT debugging steps listed in Shorewall FAQs 1a
and 1b?
> The ones for UDP 500 and 4500 are obviously working, because the secure
> log on the VPN server shows the activity -- but then packets coming
> through in ESP are getting rejected at the firewall.
> 
> # rpm -q shorewall
> shorewall-3.2.8-5
> 
> # rpm -q kernel
> kernel-2.6.18-1.2257.fc5
> 
> 
> 
> I tried asking with the swdump, but the email never showed up.
> 
> Sorry if this is too vague.  Out of time.
You mention UDP 4500 so I assume that you are using NAT traveral. If
that is the case, you should never see ESP packets at all; they should
all be encapsulated in UDP 4500. So I have no idea what your problem is.

FWIW: I could never understand FreeSwan/OpenSwan/xxxSwan -- I finally
got it working but I suspect it was pure dumb luck, the quarter of the
moon, and what I had for breakfast that morning. That''s why you find no
reference to those products on shorewall.net.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian Neu wrote:
> 24 is about to start, so I have to get home, but I''m having a
> terrible time trying to get my shorewall firewall to allow DNAT of
> the ESP protocol.  It''s listed just like every other successful
DNAT
> and I have 50 in the proto column.
Is there an entry in /etc/tunnels?
> However, on that IP, incoming packets get rejected in all2all.
> 
> At one point, this was actually working.  I''m not sure what to
think
> at this point.
> 
> Any good reason why my DNAT rule would just be ignored? The ones for
> UDP 500 and 4500 are obviously working, because the secure log on the
> VPN server shows the activity -- but then packets coming through in
> ESP are getting rejected at the firewall.
> 
> # rpm -q shorewall shorewall-3.2.8-5
> 
> # rpm -q kernel kernel-2.6.18-1.2257.fc5
> 
> 
> 
> I tried asking with the swdump, but the email never showed up.
> 
> Sorry if this is too vague.  Out of time.
>
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Stephen Carville wrote:
> Brian Neu wrote:
>> 24 is about to start, so I have to get home, but I''m having a
>> terrible time trying to get my shorewall firewall to allow DNAT of
>> the ESP protocol.  It''s listed just like every other
successful DNAT
>> and I have 50 in the proto column.
> 
> Is there an entry in /etc/tunnels?
Entries in /etc/shorewall/tunnels are for when the firewall is the IPSEC
gateway. DNAT of ESP would indicate that the gateway in Brian''s case is
*behind* the firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Tom Eastep wrote:
> FWIW: I could never understand FreeSwan/OpenSwan/xxxSwan -- I finally
> got it working but I suspect it was pure dumb luck, the quarter of the
> moon, and what I had for breakfast that morning. That''s why you
find no
> reference to those products on shorewall.net.
Me too.  I got it to work and I think I understand what it''s doing. I 
evem got it talking to checkpoint.  However, for what I needed, IPSEC 
was way too heavyweight.  Like using an RPG to hunt rabbits.

I finally switched to OpenVPN using TLS where ever I could.  I''m much 
happier.

--
Stephen

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Stephen Carville wrote:
> 
> I finally switched to OpenVPN using TLS where ever I could.  I''m
much
> happier.
> 
I did the same. I did use ipsec-tools/racoon for a while and I
understand those pretty well. But OpenVPN is an order of magnitude
simpler to configure and in my environment, it works better.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Unfortunately, I don''t have that option in this environment because the
company has a series of Linksys VPN routers at remote locations (construction
trailers) which sometimes even get moved around.

Personally, and for other clients, I use OpenVPN everywhere.  This case is
different though, and they have a legit reason to stick with this.

Is there anyway to find out why DNAT of ESP proto gets rejected at the firewall?

Here is the dreaded log msg:

kernel: Shorewall:all2all:REJECT:IN=eth1 OUT=
MAC=00:04:23:d5:30:8f:00:d0:58:a3:70:5b:08:00 SRC=(clientIP) DST=(fwIP) LEN=152
TOS=0x00 PREC=0x00 TTL=21 ID=1029 PROTO=ESP SPI=0xca69d85a

But in "rules" I have:
DNAT    net         jgi:(internalOpenSwanIP)       esp     -       -      
(fwIP)



So that part alone is throwing me more than anything right now.

Even crazier is that it was working last night for a little while and the ESP
reject msgs stopped.  Now they pop up every couple seconds and things
aren''t working.




Tom Eastep <teastep@shorewall.net> wrote: Stephen Carville wrote:
> 
> I finally switched to OpenVPN using TLS where ever I could.  I''m
much
> happier.
> 
I did the same. I did use ipsec-tools/racoon for a while and I
understand those pretty well. But OpenVPN is an order of magnitude
simpler to configure and in my environment, it works better.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian Neu wrote:
> Unfortunately, I don''t have that option in this environment
because the
> company has a series of Linksys VPN routers at remote locations
> (construction trailers) which sometimes even get moved around.
> 
> Personally, and for other clients, I use OpenVPN everywhere.  This case
> is different though, and they have a legit reason to stick with this.
> 
> Is there anyway to find out why DNAT of ESP proto gets rejected at the
> firewall?
> 
> Here is the dreaded log msg:
> 
> kernel: Shorewall:all2all:REJECT:IN=eth1 OUT>
MAC=00:04:23:d5:30:8f:00:d0:58:a3:70:5b:08:00 SRC=(clientIP) DST=(fwIP)
> LEN=152 TOS=0x00 PREC=0x00 TTL=21 ID=1029 PROTO=ESP SPI=0xca69d85a
> 
> But in "rules" I have:
> DNAT    net         jgi:(internalOpenSwanIP)       esp     -      
> -       (fwIP)
> 
> 
> 
> So that part alone is throwing me more than anything right now.
> 
> Even crazier is that it was working last night for a little while and
> the ESP reject msgs stopped.  Now they pop up every couple seconds and
> things aren''t working.
We''re shooting totally in the dark here. Is ''eth1''
your net interface or a
local one? The reason I ask is that most people at least have a
''net->all''
policy which would log policy drops from the ''net'' zone out of
a chain named
''net2all'' whereas the above is being logged from
''all2all''. As Paul Gear
advises frequently on this list and elsewhere, you get much more helpful
information from your log if you define the entire zone-x-zone matrix in
your /etc/shorewall/policy file.

I would really like to see the information requested at
http://www.shorewall.net/support.htm#Guidelines. And please don''t
obfuscate
the information -- IP addresses aren''t state secrets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

tried this once before on: Date: Fri, 2 Feb 2007 09:43:28 -0800 (PST) 

but the email never showed up



Tom Eastep <teastep@shorewall.net> wrote: Brian Neu
wrote:
> Unfortunately, I don''t have that option in this environment
because the
> company has a series of Linksys VPN routers at remote locations
> (construction trailers) which sometimes even get moved around.
> 
> Personally, and for other clients, I use OpenVPN everywhere.  This case
> is different though, and they have a legit reason to stick with this.
> 
> Is there anyway to find out why DNAT of ESP proto gets rejected at the
> firewall?
> 
> Here is the dreaded log msg:
> 
> kernel: Shorewall:all2all:REJECT:IN=eth1 OUT>
MAC=00:04:23:d5:30:8f:00:d0:58:a3:70:5b:08:00 SRC=(clientIP) DST=(fwIP)
> LEN=152 TOS=0x00 PREC=0x00 TTL=21 ID=1029 PROTO=ESP SPI=0xca69d85a
> 
> But in "rules" I have:
> DNAT    net         jgi:(internalOpenSwanIP)       esp     -      
> -       (fwIP)
> 
> 
> 
> So that part alone is throwing me more than anything right now.
> 
> Even crazier is that it was working last night for a little while and
> the ESP reject msgs stopped.  Now they pop up every couple seconds and
> things aren''t working.
We''re shooting totally in the dark here. Is ''eth1''
your net interface or a
local one? The reason I ask is that most people at least have a
''net->all''
policy which would log policy drops from the ''net'' zone out of
a chain named
''net2all'' whereas the above is being logged from
''all2all''. As Paul Gear
advises frequently on this list and elsewhere, you get much more helpful
information from your log if you define the entire zone-x-zone matrix in
your /etc/shorewall/policy file.

I would really like to see the information requested at
http://www.shorewall.net/support.htm#Guidelines. And please don''t
obfuscate
the information -- IP addresses aren''t state secrets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian Neu wrote:
> 
> Even crazier is that it was working last night for a little while and
> the ESP reject msgs stopped.  Now they pop up every couple seconds and
> things aren''t working.
Was there a "shorewall restart" about the time that it stopped
working?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Brian Neu wrote:
> tried this once before on: Date: Fri, 2 Feb 2007 09:43:28 -0800 (PST)
> 
I don''t understand why you are seeing the behavior that you are seeing.
OTOH, NAT-T was invented for a reason (the reason being that NAT of IPSEC
doesn''t work reliably). So I suggest that you implement NAT-T between
these
gateways or move the local gateway to the firewall system.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

OK, umm, tried NAT-T  -- no good.  It might be the Linksys clients, but they
seem to support NAT-T in the documentation.

Is there some kind of option on the interfaces that might be causing this? 
Maybe the traffic control?

Does listing that machine as a provider have strange consequences?

I''ve even tried (possibly foolishly) too insert in front rules to DNAT
-- no luck.  Then I tried marking and then DNAT''ing.  Nope.  The server
still rejects.

I''ve determind that it may very well be that this server hates me or I
am the victim of international mental terrorism/torture.

I''m going to give installing on the firewall a shot, but that mucks up
my architecture badly between owners of equipment in this data center.

---moving VPN to firewall was successful, but highly undesirable---

Arrrrg, I don''t want to move all those construction guys to OpenVPN
because they are too stupid to use it, even with the cute GUI.

Many thanks again Tom.

Tom Eastep <teastep@shorewall.net> wrote: Brian Neu
wrote:
> tried this once before on: Date: Fri, 2 Feb 2007 09:43:28 -0800 (PST)
> 
I don''t understand why you are seeing the behavior that you are seeing.
OTOH, NAT-T was invented for a reason (the reason being that NAT of IPSEC
doesn''t work reliably). So I suggest that you implement NAT-T between
these
gateways or move the local gateway to the firewall system.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Tue, Feb 06, 2007 at 09:42:12PM -0800, Brian Neu
wrote:
> OK, umm, tried NAT-T -- no good.  It might be the Linksys clients,
> but they seem to support NAT-T in the documentation.
For what it''s worth, it''s not just you - having trouble
persuading
third party ipsec clients to work with NAT is normal. Some of them
just don''t, some of them will only do it if you do things to them that
aren''t documented.

(I am very happy that I no longer have to deal with ipsec in any form)
> I''m going to give installing on the firewall a shot, but that
mucks
> up my architecture badly between owners of equipment in this data
> center.
The ''right'' workaround is to get another internet-routable IP
address
assigned for the VPN server. Then you can keep it behind the firewall,
just don''t NAT any of the ipsec traffic. My understanding is that this
is the approach taken by most people running large ipsec deployments,
because trying to get NAT to work reliably is such a pain.

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

Andrew Suffield wrote:
> On Tue, Feb 06, 2007 at 09:42:12PM -0800, Brian Neu wrote:
>> OK, umm, tried NAT-T -- no good.  It might be the Linksys clients,
>> but they seem to support NAT-T in the documentation.
> 
> For what it''s worth, it''s not just you - having trouble
persuading
> third party ipsec clients to work with NAT is normal. Some of them
> just don''t, some of them will only do it if you do things to them
that
> aren''t documented.
To throw in my $0.02, I''ve been able to get Linux and FreeSWAN taking
to
Checkpoint and Cisco and Cisco talking to Checkpoint but I had to jump 
thru hoops within hoops to get it done.  As standard IPSEC isn''t. 
Seems
like everybody has (or had, I haven''t used it in about 4 years) their 
own proprietary version of it.

IPSEC is, IMO, the token ring of tunneling and, frankly, I hope it 
shares the same fate.
> (I am very happy that I no longer have to deal with ipsec in any form)
If I believed in any gods I would thank then for every day I don''t have
to use IPSEC.
>> I''m going to give installing on the firewall a shot, but that
mucks
>> up my architecture badly between owners of equipment in this data
>> center.
> 
> The ''right'' workaround is to get another
internet-routable IP address
> assigned for the VPN server. Then you can keep it behind the firewall,
> just don''t NAT any of the ipsec traffic. My understanding is that
this
> is the approach taken by most people running large ipsec deployments,
> because trying to get NAT to work reliably is such a pain.
I have to agree.  If both ends have routable addresses you can switch to 
AH which, IMO again, is more reliable and easier to work with. 
Especially between different implementations.
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
>
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642