Shorewall users - Mar 2005 - multiple vpn connections out via shorewall

Hi All,
Just joined the list to try and solve a problem.

To show that I''ve read the rules I''ll start with the requested
info

os linux kernel-2.4.27 with latest netfilter pom for gre and pptp conntrack 
etc

iptables is 1.3.0 - downloaded and compiled with the pom stuff and the 2.4.27 
kernel

shorewall version shorewall-2.2.1-2 from rpm

ip addr show
[root@squid3 root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:ac:16:29:b8 brd ff:ff:ff:ff:ff:ff
    inet 172.20.1.1/24 brd 172.20.1.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:40:05:a4:27:f1 brd ff:ff:ff:ff:ff:ff
    inet 196.25.62.97/30 brd 196.25.62.99 scope global eth1
4: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
5: gre0@NONE: <NOARP> mtu 1476 qdisc noop
    link/gre 0.0.0.0 brd 0.0.0.0

ip route show
[root@squid3 root]# ip route show
196.25.62.96/30 dev eth1  scope link
172.20.4.0/24 via 172.20.1.3 dev eth0
192.168.2.0/24 via 172.20.1.3 dev eth0
172.20.1.0/24 dev eth0  scope link
172.19.9.0/24 via 172.20.1.252 dev eth0
10.1.130.0/24 via 172.20.1.252 dev eth0
10.1.131.0/24 via 172.20.1.252 dev eth0
10.1.132.0/24 via 172.20.1.252 dev eth0
192.168.252.0/24 via 172.20.1.252 dev eth0
172.21.2.0/24 via 172.20.1.252 dev eth0
172.17.1.0/24 via 172.20.1.252 dev eth0
198.54.229.0/24 via 172.20.1.252 dev eth0
10.2.0.0/16 via 172.20.1.252 dev eth0
10.3.0.0/16 via 172.20.1.252 dev eth0
10.1.0.0/16 via 172.20.1.252 dev eth0
172.30.0.0/16 via 172.20.1.252 dev eth0
10.4.0.0/16 via 172.20.1.252 dev eth0
10.10.0.0/16 via 172.20.1.252 dev eth0
169.254.0.0/16 dev eth1  scope link
192.168.0.0/16 via 172.20.1.252 dev eth0
127.0.0.0/8 dev lo  scope link
default via 196.25.62.98 dev eth1
[root@squid3 root]#

Attached is the output of shorewall status as well as the /etc/shorewall files 
I modd''ed.

Okay here''s the plot!
The server runs as a simple firewall and squid proxy server for our country 
wide users and a few customers hence the largish route table. Squid take care 
of the http traffic and masq take care of the rest.
I then needed to allow up to 6 users to connect to a Cisco router at SSA/Baan 
in the USA. With the original config without the upgrade to iptables 1.3.0 
and the pom stuff I could only make a single connection at a time! Please 
bear in mind that the clients are inside the loc zone and the server is out 
on the wild internet. I then dug around and did some googling to find what i 
needed to do. Netfilter, monmotha and shorewall pointed me to the need of 
tracking gre and pptp connections which is logical I guess!
Popped over to the netfilter ftp site and downloaded 1.3.0 plus the latest 
pom. I had already upgraded the kernel to 2.4.27 so I just went ahead and 
used the pom tool to patch the kernel and the iptables source. I ran make 
menuconfig and built all the conntrack stuff together with the rest of 
netfilter into the kernel, compiled and installed iptables 1.3.0. Rebooted to 
the new kernel, corrected the IPTABLES line in shorewall.conf to point to the 
correct one and asked the users to try! Result? Just the same! One connection 
at a time to the remote ip!
I tried buildin the kernel with the conntrack stuff as modules and still no 
joy :-(
I know the Cisco box we connect to supports multiple connections to its ip 
address as most of our staff who use the vpn service have dialup facilities 
on their workstations and happily dial an ISP and bring up the VPN!

Even tried to use our dreaded isa thing but ''it'' only supports
a single
connection to an ip address at a time.

Multiple vpns to different remote ip''s works like a wiz! To a single
one?
Naadaa!!

I have managment now breathing down my neck so please help!

Cheers
Ang 



-- 
Angela Williams				Enterprise Outsourcing
All Unix/Linux & Cisco spoken here!	Bedfordview
awilliams@eoh.co.za			Gauteng South Africa

Smile!! Jesus Loves You!!

Angela Williams wrote:
> This body part will be downloaded on demand.
Apparently, the message body was not delivered to the list (only your
attachments arrived here).

Please re-send the problem description only.

Thanks,
-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Angela Williams wrote:
> 
>>This body part will be downloaded on demand.
> 
> 
> Apparently, the message body was not delivered to the list (only your
> attachments arrived here).
> 
> Please re-send the problem description only.
Never mind -- It was apparently my mailer that was confused (or
possibly, just me :-) )

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Angela Williams wrote:
>
> 
> Multiple vpns to different remote ip''s works like a wiz! To a
single one?
> Naadaa!!
> 
> I have managment now breathing down my neck so please help!
> 
Unfortunately, I don''t see anything that you''ve done wrong.
The four
pptp conntrack/nat modules are loaded and there is nothing that you can
do in your Shorewall config that will have any effect on this problem.

When you have a single VPN connection working, what does the output of
"shorewall show connections" look like?

What about if you try a second connection -- how does that output change?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wednesday 23 March 2005 18:27, Tom Eastep wrote:
> Angela Williams wrote:
> > Multiple vpns to different remote ip''s works like a wiz! To a
single one?
> > Naadaa!!
> >
> > I have managment now breathing down my neck so please help!
>
> Unfortunately, I don''t see anything that you''ve done
wrong. The four
> pptp conntrack/nat modules are loaded and there is nothing that you can
> do in your Shorewall config that will have any effect on this problem.
>
> When you have a single VPN connection working, what does the output of
> "shorewall show connections" look like?
>
> What about if you try a second connection -- how does that output change?
I''ll let you know in the morning my time!
Ang

-- 
Angela Williams				Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here!	Bedfordview
awilliams@eoh.co.za			Gauteng South Africa

Smile!! Jesus Loves You!!

Angela Williams wrote:
> I know the Cisco box we connect to supports multiple connections to its ip 
> address as most of our staff who use the vpn service have dialup facilities
> on their workstations and happily dial an ISP and bring up the VPN!
Do you know for certain that the Cisco supports multiple connections
*from the same IP address*?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote on 23/03/2005 14:38:27:
> Angela Williams wrote:
> 
> > I know the Cisco box we connect to supports multiple connections to 
its ip 
> > address as most of our staff who use the vpn service have dialup 
facilities 
> > on their workstations and happily dial an ISP and bring up the VPN!
> 
> Do you know for certain that the Cisco supports multiple connections
> *from the same IP address*?
> 
> -Tom
> -- 
I think the problem here is that the other part probably doesn''t use
the
conntrack-pptp modules.  For him, they are all part of a unique PPTP 
connection.  If you have a number of Public IPs available, you could use 
one by one nat scheme.  But public IPs are a not a cheap commodity 
nowadays...


________________________
Eduardo Ferreira
Icatu Holding S.A.
Supervisor de TI
(5521) 3804-8606

Eduardo Ferreira wrote:
> 
> I think the problem here is that the other part probably doesn''t
use the
> conntrack-pptp modules.
The other end is a Cisco. Angela has the conntrack-pptp modules loaded
correctly on her end.
> For him, they are all part of a unique PPTP 
> connection.  If you have a number of Public IPs available, you could use 
> one by one nat scheme.  But public IPs are a not a cheap commodity 
> nowadays...
> 
Angela''s firewall has only a single external IP address currently.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote on 23/03/2005 16:36:21:
> Eduardo Ferreira wrote:
> 
> > 
> > I think the problem here is that the other part probably
doesn''t use
the 
> > conntrack-pptp modules.
> 
> The other end is a Cisco. Angela has the conntrack-pptp modules loaded
> correctly on her end.
> 
> > For him, they are all part of a unique PPTP 
> > connection.  If you have a number of Public IPs available, you could 
use 
> > one by one nat scheme.  But public IPs are a not a cheap commodity 
> > nowadays...
> > 
> 
> Angela''s firewall has only a single external IP address currently.
> 
> -Tom
> -- 
Ok, repeat with me: "read all messages in a thread before answering"
;-)

/sorry

Hi All!
On Wednesday 23 March 2005 21:45, Eduardo Ferreira wrote:
> Tom Eastep wrote on 23/03/2005 16:36:21:
> > Eduardo Ferreira wrote:
> > > I think the problem here is that the other part probably
doesn''t use
>
> the
>
> > > conntrack-pptp modules.
> >
> > The other end is a Cisco. Angela has the conntrack-pptp modules loaded
> > correctly on her end.
> >
> > > For him, they are all part of a unique PPTP
> > > connection.  If you have a number of Public IPs available, you
could
> use
>
> > > one by one nat scheme.  But public IPs are a not a cheap
commodity
> > > nowadays...
That would have solved the problem! Just had an email back from EXE and they 
say one ip - one connection!
> > Angela''s firewall has only a single external IP address
currently.
I had made it clear to EXE that we would be making multiple connections from a 
single ip but I guess they missed it! We will now try with the Cisco VPN 
Client. I could ofcourse hack my riuting on my internal routers to point to 
my firewall that was a whole class c subnet but that would meen kernel, 
iptables + pom upgrades on a very heavily used box. If it works I tend to 
leave it alone!

Thanks tons for your help!

Cheers
Ang


-- 
Angela Williams				Enterprise Outsourcing
SCO Unix/Linux & Cisco spoken here!	Bedfordview
awilliams@eoh.co.za			Gauteng South Africa

Smile!! Jesus Loves You!!