Shorewall users - Jan 2009 - Shorewall + Debian + Openswan = FORWARD:REJECT

PROBLEM: Shorewall gives the following log message, and no traffic
will pass through the VPN.  This is an attempt to ping a PC on the
otherside of the VPN endpoint.
Jan 12 13:48:41 localhost Shorewall:FORWARD:REJECT:IN=eth2 OUT=ipsec0
SRC=192.168.1.xxx DST=192.168.5.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=42007 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=39424

I am configuring a linux firewall to act as a vpn endpoint.  The
remote endpoints are all commercial vpn routers.

I have a Debian Etch base install { debian_version = 4 }
I have Openswan installed { Linux Openswan 2.4.6 (klips) }
   - I have recompiled the kernel to include KLIPS modular support
{kernel = 2.6.18-i686}
   - I have also compiled the KLIPS module for Openswan
I am using the debian shorewall package { Shorewall-3.2.6 }

I have attempted previously to configure everything the "new" way,
using the vanilla debian kernel and follow all the documentation.
However the documentation was so outdated and scrambled that I was not
able to get anywhere with even basic troubleshooting.  I am also much
more familiar with the Freeswan implementation (which this whole thing
is an upgrade for), so I reconfigured debian to support an ipsec+
interface.  The VPN side of everything was easy (even using racoon)
and has never been a problem.  Getting shorewall to play nice with
VPN''s seems to be my only hanging point.

Any help would be greatly appreciated.


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

John Smith wrote:
> PROBLEM: Shorewall gives the following log message, and no traffic
> will pass through the VPN.  This is an attempt to ping a PC on the
> otherside of the VPN endpoint.
> Jan 12 13:48:41 localhost Shorewall:FORWARD:REJECT:IN=eth2 OUT=ipsec0
> SRC=192.168.1.xxx DST=192.168.5.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=42007 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=39424
OP coudn''t make it work the modern way so ...
> I reconfigured debian to support an ipsec+
> interface.  The VPN side of everything was easy (even using racoon)
> and has never been a problem.  Getting shorewall to play nice with
> VPN''s seems to be my only hanging point.
If you are going to configure IPSEC the old way then you need to
configure Shorewall the old way: http://www.shorewall.net/3.0/IPSEC.htm

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Shorewall Guy schrieb:
> John Smith wrote:
>   
>> PROBLEM: Shorewall gives the following log message, and no traffic
>> will pass through the VPN.  This is an attempt to ping a PC on the
>> otherside of the VPN endpoint.
>> Jan 12 13:48:41 localhost Shorewall:FORWARD:REJECT:IN=eth2 OUT=ipsec0
>> SRC=192.168.1.xxx DST=192.168.5.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=42007 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=39424
>>     
>
> OP coudn''t make it work the modern way so ...
>
>   
>> I reconfigured debian to support an ipsec+
>> interface.  The VPN side of everything was easy (even using racoon)
>> and has never been a problem.  Getting shorewall to play nice with
>> VPN''s seems to be my only hanging point.
>>     
>
> If you are going to configure IPSEC the old way then you need to
> configure Shorewall the old way: http://www.shorewall.net/3.0/IPSEC.htm
>
>   
Hi John,
have you had a look at Strongswan ?  www.strongswan.org 
<http://www.strongswan.org>
Their new version 4.x never made any troubles and support is excellent.
These guys from Switzerland really do a great job, the documentation is
extrardinary, as we are used to from Shorewall.   :-)
And it works together with Shorewall in a straightforward manner.

Give it a try and you''ll see yourself.
HTH,
- Philipp


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

I have read every single piece of shorewall documentation pertaining
to this subject.  I believe I have a firm grasp on how to configure
Shorewall, and have obviously followed the directions given in the
documentation for this particular setup.

I say again, my PROBLEM is that shorewall does not forward packets
from the internal network through to the ipsec interface, as evidenced
by the log message I posted.  I need to understand why this is, so
that I can fix it.

On my previous freeswan implementation I recall having to write a
forwarding rule which included some sort of nat''ing.  Shorewall, as
far as I can tell, has no place that a forwarding rule can be made.
The policy & rules files do not allow such.

QUESTION: How do I configure shorewall to forward traffic from the
internal network that is destined for the remote network through the
ipsec interface?

Thank you.

On Mon, Jan 12, 2009 at 4:49 PM, Shorewall Guy
<shorewalljunky@comcast.net> wrote:
> John Smith wrote:
>> PROBLEM: Shorewall gives the following log message, and no traffic
>> will pass through the VPN.  This is an attempt to ping a PC on the
>> otherside of the VPN endpoint.
>> Jan 12 13:48:41 localhost Shorewall:FORWARD:REJECT:IN=eth2 OUT=ipsec0
>> SRC=192.168.1.xxx DST=192.168.5.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
>> ID=42007 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=39424
>
> OP coudn''t make it work the modern way so ...
>
>> I reconfigured debian to support an ipsec+
>> interface.  The VPN side of everything was easy (even using racoon)
>> and has never been a problem.  Getting shorewall to play nice with
>> VPN''s seems to be my only hanging point.
>
> If you are going to configure IPSEC the old way then you need to
> configure Shorewall the old way: http://www.shorewall.net/3.0/IPSEC.htm
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

John Smith wrote:
> I have read every single piece of shorewall documentation pertaining
> to this subject.  I believe I have a firm grasp on how to configure
> Shorewall, and have obviously followed the directions given in the
> documentation for this particular setup.
No you have not. In the article that I pointed you to, there is NO
MENTION AT ALL of specifying a zone type of ''ipsec'' in
/etc/shorewall/zones yet you appear to have done exactly that on your
''vpn'' zone. I suspect that if you change the type to
''ipv4'', then the
packets will be forwarded as you want.

Disclaimer -- I''ve never heard of anyone configuring a kernel 2.6
system
they way that you have configured yours. All of our IPSEC testing here
at shorewall.net with kernel 2.6 has been with the "new" configuration
method without an ipsecN interface.


------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

Shorewall Guy,

Although my /etc/shorewall/zones configuration was as follows:
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                                  OPTIONS
    OPTIONS
fw      firewall
vpn     ipv4
loc     ipv4
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

I remembered that the ipsec option can also be specified in
/etc/shorewall/hosts for the same effect.

###############################################################################
#ZONE   HOST(S)                                 OPTIONS
vpn     ipsec0:192.168.5.0/24                  ipsec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

I overlooked removing it when I reconfigured everything.  I have
removed the ipsec option, and I no longer get the REJECT message.

Thank you for your assistance.  Keep up the good work!

<ps - still can''t get traffic to pass through vpn, but I
don''t believe
this is an issue with shorewall anymore, as I''m getting no DROP/REJECT
messages in logs anymore, and packet counters show:
Chain loc2vpn (1 references)
 pkts bytes target     prot opt in     out     source
destination
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    8   480 ACCEPT     0    --  *      *       0.0.0.0/0
0.0.0.0/0
>
On Tue, Jan 13, 2009 at 1:59 PM, Shorewall Guy
<shorewalljunky@comcast.net> wrote:
> John Smith wrote:
>> I have read every single piece of shorewall documentation pertaining
>> to this subject.  I believe I have a firm grasp on how to configure
>> Shorewall, and have obviously followed the directions given in the
>> documentation for this particular setup.
>
> No you have not. In the article that I pointed you to, there is NO
> MENTION AT ALL of specifying a zone type of ''ipsec'' in
> /etc/shorewall/zones yet you appear to have done exactly that on your
> ''vpn'' zone. I suspect that if you change the type to
''ipv4'', then the
> packets will be forwarded as you want.
>
> Disclaimer -- I''ve never heard of anyone configuring a kernel 2.6
system
> they way that you have configured yours. All of our IPSEC testing here
> at shorewall.net with kernel 2.6 has been with the "new"
configuration
> method without an ipsecN interface.
>
>
>
------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword

John Smith wrote:
> 
> I remembered that the ipsec option can also be specified in
> /etc/shorewall/hosts for the same effect.
After I had sent my response, it occurred to me that I didn''t look at
the dump closely enough to determine if the ''ipsec'' was on the
zone or
host level. My apology for the oversight.
>
> Thank you for your assistance.  Keep up the good work!
> 
You''re welcome.

------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword