Shorewall users - Apr 2007 - Re: IPSec Passthrough fails when using CiscoVPNclient

Hi Vene,

Would appreciate any help you can give as I am not sure which NAT you are
talking about.

A little more background.  I am replacing a Windows 2000 routing and remote
access machine that was acting as the gateway and performing NAT for Internet
access for our local clients.  In this setup the cisco VPN clients had no
problem connecting to the vpn concentrator.  The only difference in any setup is
the replacement of the 2000 machine with the Ubuntu gateway machine.  I am
really confused why this isn''t working as all local clients have full
internet access using the public IP of the gateway server.

In the cisco vpn client log I have noticed entries such as:

3604   13:43:54.925  04/18/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 203.110.142.69

3605   13:43:54.925  04/18/07  Sev=Info/4	IKE/0xE3000033
Invalid payload: length stated is smaller than length of header alone.

3606   13:43:54.925  04/18/07  Sev=Warning/3	IKE/0xA3000058
Received malformed message or negotiation no longer active (message id:
0x321FFD92)


And a lot of messages such as:

3599   13:43:46.925  04/18/07  Sev=Info/5	IKE/0x6300002F
Received ISAKMP packet: peer = 203.110.142.69

3600   13:43:46.925  04/18/07  Sev=Info/4	IKE/0x63000014
RECEIVING <<< ISAKMP OAK AG (Retransmission) from 203.110.142.69

3601   13:43:46.925  04/18/07  Sev=Info/4	IKE/0x63000021
Retransmitting last packet!

3602   13:43:46.925  04/18/07  Sev=Info/4	IKE/0x63000013
SENDING >>> ISAKMP OAK AG *(Retransmission) to 203.110.142.69


Any ideas?



-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Benito
Venegas
Sent: Wednesday, 18 April 2007 9:38 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] IPSec Passthrough fails when using CiscoVPNclient

Peter:

We had to deal with this some weeks ago.
I think the only part you have missed is the NAT.
Cisco VPN requires the desktop has a valid IP.
So just create a NAT, and you''ll be OK.


If you still has problems, don''t hesitate to contact me and we can do
some test together.

Cheers,

--
Vene.-


-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of
Peter Wilson
Sent: Monday, April 16, 2007 10:21 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] IPSec Passthrough fails when using Cisco
VPNclient

I have Shorewall running as an office gateway performing NAT for local
clients to access Internet.  There is a policy allowing full access from
loc -> net.

Problem arrises when trying to connect a Cisco VPN client to a VPN
server on the Internet from a local workstation. 

The cisco client log shows:

Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

If I bypass the Linux Shorewall gateway the connection works perfectly.
This is the only type of connection to the Internet that seems to have
any problems - www, https, ftp, MSN etc all connect no problem.

I have tried to remove shorewall from the equation by doing the
following with no luck.
sudo shorewall clear
sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j
MASQUERADE

I have searched high and low but have not been able to find anything
that will help with this problem.  Has anyone else had a similar
experience?  Can anyone point me in the right direction as this problem
is completely beyond my knowledge and experience.


Attached is the status.txt file as created by shorewall dump.  For this
example I attempted to connect between 192.168.118.118 and
203.110.142.69.  If I have missed anything or you need further
information please let me know.

Thankyou in advance,
Peter



________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. BlackList requests should be sent to
blacklist@securities.com, WhiteList requests should be sent to
whitelist@securities.com. Contact the Global Operations Team
(help@securities.com) if you need additional support.
________________________________________________________________________

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

>Any ideas?
I work offsite from my company''s main corporate offices. The office 
where I work does not allow any traffic in or out of their firewall 
without making a formal request to the IT department. I needed to find 
out what ports the Cisco VPN used, so I used Shorewall to help me figure 
it out. Here is what I did:

Just below the "SECTION NEW" in the rules file, I added this rule:
REJECT:info     loc:10.240.5.128        net

10.240.5.128 is the IP address of the system that is trying to connect 
using the Cisco VPN.

I then restarted Shorewall and tried to connect with the Cisco VPN. With 
the above rule added, my log got several instances of the following 
message:
Apr 18 10:07:34 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0 
OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30 
LEN=898 TOS=0x00 PREC=0x00 TTL=127 ID=30661 PROTO=UDP SPT=500 DPT=500 
LEN=878

(You should probably ignore the PHYSIN=tap0 -- I conducted this testing 
over another VPN -- I used OpenVPN to connect from work to my home and 
then tried using the Cisco VPN client to connect to the corporate office 
through my home internet connection. The results would be the same if I 
had been in my home.)

The "PROTO=UDP SPT=500 DPT=500" part of the log prompted me to add the
following rule above my previous REJECT rule:
ACCEPT:info     loc:10.240.5.128        net     UDP     500

I restarted Shorewall again and gave it another try. This time I 
received the following messages in my log file:
Apr 18 10:11:07 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0 
OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30 
LEN=29 TOS=0x00 PREC=0x00 TTL=127 ID=33539 PROTO=UDP SPT=4500 DPT=4500 
LEN=9

The "PROTO=UDP SPT=4500 DPT=4500" part of the log message indicated
that
I needed to change my accept rule to the following:
ACCEPT:info     loc:10.240.5.128        net     UDP     500,4500

After restarting Shorewall, everything worked. I submitted a request to 
the IT department to allow outbound UDP ports 500 and 4500. Now I can 
connect directly without any trouble.
>I have tried to remove shorewall from the equation by doing the
>following with no luck.
>sudo shorewall clear
>sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j 
>MASQUERADE
The above steps from your original post pretty much prove Shorewall 
can''t be causing any problems, but you might want to try and use its 
logging facilities to help you track down if there is some other 
problem.

Just an idea
-Russel 


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/