Shorewall users - Oct 2004 - Maquerading through IPSECed wireless dropping packets selectively?

Hello,

I''m stuck IPSECing my wireless network at home and would appreciate any
comments. I appologize in advance if I''m wasting your time with trivia
-
I''m not a professional and staring at the problem for days from various
angles hasn''t done me any good ...

My home server/firewall (morannon) is hooked up through an USB to 
ethernet adapter (eth1) to my DSL modem. Its network card (eth0; 
192.168.1.1) serves through a linksys WAP11 wireless in the house 
(including acting as a dhcp server). The server is masquerading the 
entire local network (192.168.1.0) to the outside world. It runs a 
debian 2.6.8 kernel. I have had this setup up and running for month 
using shorewall and an unencrypted wireless network - so I know the 
basics.

The machine connecting trough the wireless network to the server (and
the world) is my laptop (precious), which is being delt 192.168.1.3 by 
dhcp. It is runnign a home made 2.6.9 kernel.

I have set out tunneling the wireless traffic through IPSEC, using
openswan and following more or less this document:
http://www.natecarlson.com/linux/ipsec-x509.php

I have succeeded doing that. I can ping both the server/firewall and
outside systems from my laptop and tcpdump on the respective interfaces
reports properly ESPed packets.

The situation becomes strange when e.g. trying to connect from the
laptop to webpages: google.com is accessed without problems for example
(all packets being IPSECed), while access to other pages (including
shorewall.net e.g.) times out. Connection is established, even the
location bar icon shows up and then things grind to a halt. This seems
to be associated with errors like:
> 11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net: icmp 
> 247: precious_cabled udp port 32837 unreachable
I''ve played around with this a ton and can''t get it to work. I
would
highly appreciate any hints - kicks in the b... as well (if they propell
me into the right direction).

Please find Information gathered from morannon below.

Thanks a lot for looking at this,

Joh
> shorewall version
2.0.9
--> debian testing *.deb
> ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen
1000    link/ether 00:40:63:ca:c3:ca brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 fe80::240:63ff:feca:c3ca/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1540 qdisc pfifo_fast qlen 1000
    link/ether 00:10:60:e9:b1:08 brd ff:ff:ff:ff:ff:ff
    inet 69.111.9.163/24 brd 69.111.9.255 scope global eth1
    inet6 fe80::210:60ff:fee9:b108/64 scope link 
       valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop 
    link/sit 0.0.0.0 brd 0.0.0.0
>ip route show
192.168.1.3 via 192.168.1.3 dev eth0 
69.111.9.0/24 dev eth1  proto kernel  scope link  src 69.111.9.163 
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1 
default via 69.111.9.162 dev eth1

Outputs of ''shorewall show'' and ''shorewall
status'' are attached, as are
the contents of my /etc/shorewall directory.

Thanks again for taking the time to look through this,

Joh

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Johannes Graumann wrote:
> 
> The situation becomes strange when e.g. trying to connect from the
> laptop to webpages: google.com is accessed without problems for example
> (all packets being IPSECed), while access to other pages (including
> shorewall.net e.g.) times out. Connection is established, even the
> location bar icon shows up and then things grind to a halt. This seems
> to be associated with errors like:
> 
>>11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net: icmp 
>>247: precious_cabled udp port 32837 unreachable
> 
> 
> I''ve played around with this a ton and can''t get it to
work. I would
> highly appreciate any hints - kicks in the b... as well (if they propell
> me into the right direction).
> 
You probably need to set the MSS for traffic FROM your wireless zone to
1400 or so. That''s what I have to do to avoid these sorts of problems
from my wireless zone. See http://shorewall.net/myfiles.htm -- look at
the /etc/shorewall/ipsec file on ''ursa'' which is the system
that hosts
my IPSEC wireless gateway. Note that you need to be running Shorewall
2.2.0 Beta 1.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBhXWgO/MAbZfjDLIRAiVQAJ4tA1aWLb2ne0pdhDtwQBCfMcsAzQCfcFFQ
pRPv5p89phYBfN6Arppt+8s=UKiA
-----END PGP SIGNATURE-----

I''m looking into this ...

Does this require the application of all of the patches below from
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks?
Are they all kernel patches?

Joh

Author: Patrick McHardy <kaber@trash.net> 

Status: Testing, should be fine

[NETFILTER+IPSEC 1/4]

This patch adds new output hooks for IPsec. Packets traverse the hooks
like this:

1. -> (plain) FORWARD   -> POST_ROUTING -> (encrypted) LOCAL_OUT ->
POST_ROUTING 
2. -> (plain) LOCAL_OUT -> POST_ROUTING -> (encrypted)
LOCAL_OUT -> POST_ROUTING

Author: Patrick McHardy <kaber@trash.net> 

Status: Testing, should be fine

[NETFILTER+IPSEC 2/4]

This patch makes packets decapsulated by IPsec traverse the netfilter
input hooks again. Packets traverse the hooks like this:

1. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING ->
LOCAL_IN 
2. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain)
PRE_ROUTING -> FORWARD

Author: Patrick McHardy <kaber@trash.net> 

Status: Testing

[NETFILTER+IPSEC 3/4]

This patch adds policy lookups to ip_route_me_harder and makes
NAT reroute for any change that affects route/policy in LOCAL_OUT
and POST_ROUTING.

Author: Patrick McHardy <kaber@trash.net> 

Status: Testing

[NETFILTER+IPSEC 4/4]

This patch makes xfrm_policy_check locate the correct policy after NAT.
On Sun, 31 Oct 2004 15:30:40 -0800
Tom Eastep <teastep@shorewall.net> wrote:


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Johannes Graumann wrote:
> 
> > 
> > The situation becomes strange when e.g. trying to connect from the
> > laptop to webpages: google.com is accessed without problems for
> > example(all packets being IPSECed), while access to other pages
> > (including shorewall.net e.g.) times out. Connection is established,
> > even the location bar icon shows up and then things grind to a halt.
> > This seems to be associated with errors like:
> > 
> >>11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net:
icmp
> >
> >>247: precious_cabled udp port 32837 unreachable
> > 
> > 
> > I''ve played around with this a ton and can''t get it
to work. I would
> > highly appreciate any hints - kicks in the b... as well (if they
> > propell me into the right direction).
> > 
> 
> You probably need to set the MSS for traffic FROM your wireless zone
> to 1400 or so. That''s what I have to do to avoid these sorts of
> problems from my wireless zone. See http://shorewall.net/myfiles.htm
> -- look at the /etc/shorewall/ipsec file on ''ursa'' which
is the system
> that hosts my IPSEC wireless gateway. Note that you need to be running
> Shorewall 2.2.0 Beta 1.
> 
> - -Tom
> - --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBhXWgO/MAbZfjDLIRAiVQAJ4tA1aWLb2ne0pdhDtwQBCfMcsAzQCfcFFQ
> pRPv5p89phYBfN6Arppt+8s> =UKiA
> -----END PGP SIGNATURE-----

On Tue, 2004-11-02 at 14:41, Johannes Graumann wrote:
> I''m looking into this ...
> 
> Does this require the application of all of the patches below from
>
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks?
Yes.
> Are they all kernel patches?
> 
They are all kernel patches and you also need the ''policy
match'' patch
in both your kernel and iptables.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thanks Tom,

I set out trying that and realized that I can''t get any patches from
the
patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9 from
kernel.org: Massive rejections. Their HOWTO seems to imply (by way of
requiring''make dep'') that this only works for 2.4 series
kernels? Or is
there a 2.6 series version patch-o-matic will actually work with? Sorry
to bother you with these trivia, but I can''t find any answers to my 2.6
questions on groups.google.com and the netfilter docu is quite silent
about this too...

Thanks for any hints,

Joh

On Tue, 02 Nov 2004 15:40:42 -0800
Tom Eastep <teastep@shorewall.net> wrote:
> On Tue, 2004-11-02 at 14:41, Johannes Graumann wrote:
> > I''m looking into this ...
> > 
> > Does this require the application of all of the patches below from
> >
http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks?
> 
> Yes.
> 
> > Are they all kernel patches?
> > 
> 
> They are all kernel patches and you also need the ''policy
match'' patch
> in both your kernel and iptables.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
>

On Tue, 2004-11-02 at 22:09, Johannes Graumann wrote:
> Thanks Tom,
> 
> I set out trying that and realized that I can''t get any patches
from the
> patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9 from
> kernel.org: Massive rejections. Their HOWTO seems to imply (by way of
> requiring''make dep'') that this only works for 2.4 series
kernels? Or is
> there a 2.6 series version patch-o-matic will actually work with? Sorry
> to bother you with these trivia, but I can''t find any answers to
my 2.6
> questions on groups.google.com and the netfilter docu is quite silent
> about this too...
You probably were looking at the now retired ''Patch-o-matic'';
the
current patches (including for 2.6) are in Patch-o-matic-ng. That having
been said, other folks have reported on the list that Patch-o-matic-ng
and 2.6.9 don''t play nice together yet.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom,

Thanks again for your patience. I grabbed 2.6.8.1 from Kernel.org and I
can apply some patches from patch-o-matic-ng to it, but not the ipsec
ones ...
This is just to raw for me and I''ll let it rest for now. Is there any
word when the IPSEC matching will be merged into the main line?

Joh

On Wed, 03 Nov 2004 06:20:39 -0800
Tom Eastep <teastep@shorewall.net> wrote:
> On Tue, 2004-11-02 at 22:09, Johannes Graumann wrote:
> > Thanks Tom,
> > 
> > I set out trying that and realized that I can''t get any
patches from
> > the patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9
> > from kernel.org: Massive rejections. Their HOWTO seems to imply (by
> > way of requiring''make dep'') that this only works for
2.4 series
> > kernels? Or is there a 2.6 series version patch-o-matic will
> > actually work with? Sorry to bother you with these trivia, but I
> > can''t find any answers to my 2.6 questions on
groups.google.com and
> > the netfilter docu is quite silent about this too...
> 
> You probably were looking at the now retired
''Patch-o-matic''; the
> current patches (including for 2.6) are in Patch-o-matic-ng. That
> having been said, other folks have reported on the list that
> Patch-o-matic-ng and 2.6.9 don''t play nice together yet.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
> 
>

On Wed, 2004-11-03 at 09:19, Johannes Graumann wrote:
> Tom,
> 
> Thanks again for your patience. I grabbed 2.6.8.1 from Kernel.org and I
> can apply some patches from patch-o-matic-ng to it, but not the ipsec
> ones ...
> This is just to raw for me and I''ll let it rest for now. Is there
any
> word when the IPSEC matching will be merged into the main line?
Haven''t heard -- it is in some commercial distributions though (notably
SuSE 9.1 updates and 9.2).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> 
> 
> Haven''t heard -- it is in some commercial distributions though
(notably
> SuSE 9.1 updates and 9.2).
> 
To put you on the spot, would you care to nominate a distribution
or distributions that are better configured for use in
routers/firewalls? I don''t want to start a holy war here.

On Thu, 2004-11-04 at 00:18, Taso Hatzi wrote:
> To put you on the spot, would you care to nominate a distribution
> or distributions that are better configured for use in
> routers/firewalls? I don''t want to start a holy war here.
Nor do I so I will give you my personal preferences but they should not
be interpreted as recommendations.

I switched to SuSE 9.1 on my firewall because current SuSE kernels
include the Netfilter-ipsec and policy match patches and I really hate
to have to patch/rebuild the kernel. 

I like Debian because the Networking init/config scripts are so
straight-forward and powerful.

If I had a need for "build, install and forget" router/firewalls then
I
would select LEAF/Bering-uClibc installed on CF (no hard drive) and one
of the ultra-small platforms like Wrap or Soekris. Note that this distro
still uses the 2.4 kernel only.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key