Shorewall users - Dec 2002 - ipsec: subnet/endpoint to endpoint

Hello,

I''m trying to build a vpn tunnel very much like the one in the document
at
http://www.shorewall.net/IPSEC.htm.  I followed every step in the document
carefully and everything works fine except that from any side I cannot
connect to the other endpoint by using it''s private IP address.

Taking the diagram in the above document as an example, I cannot connect
from any node in 192.168.1.0/24 to 10.0.0.1 but I can connect to
134.28.54.2.  The situation is the same for any node in 10.0.0.0/24 trying
to connect to 192.168.1.1.

Except the endpoint, from amy node I can reach any node on the other side.
 There''s no message in my log file that I come here seeking for help.

Did I miss anything?

--On Friday, December 20, 2002 03:33:24 PM +0800 Fengchou Li 
<sl6xx@luxent.com.tw> wrote:
> Hello,
>
> I''m trying to build a vpn tunnel very much like the one in the
document at
> http://www.shorewall.net/IPSEC.htm.  I followed every step in the document
> carefully and everything works fine except that from any side I cannot
> connect to the other endpoint by using it''s private IP address.
>
> Taking the diagram in the above document as an example, I cannot connect
> from any node in 192.168.1.0/24 to 10.0.0.1 but I can connect to
> 134.28.54.2.  The situation is the same for any node in 10.0.0.0/24 trying
> to connect to 192.168.1.1.
>
> Except the endpoint, from amy node I can reach any node on the other side.
>  There''s no message in my log file that I come here seeking for
help.
>
> Did I miss anything?
>
No -- that''s the way a subnet-subnet tunnel works.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net On Behalf Of Tom Eastep
> Sent: vendredi 20 d=E9cembre 2002 16:11
> To: sl6xx@luxent.com.tw; shorewall-users@shorewall.net
> Subject: Re: [Shorewall-users] ipsec: subnet/endpoint to endpoint
>=20
>=20
>> --On Friday, December 20, 2002 03:33:24 PM +0800 Fengchou Li=20
>> <sl6xx@luxent.com.tw> wrote:
>> Hello,
>>
>> I''m trying to build a vpn tunnel very much like the one in the
document at
>> http://www.shorewall.net/IPSEC.htm.  I followed every step in the
document
>> carefully and everything works fine except that from any side I
cannot
>> connect to the other endpoint by using it''s private IP
address.
>>
>> Taking the diagram in the above document as an example, I cannot
connect
>> from any node in 192.168.1.0/24 to 10.0.0.1 but I can connect to
>> 134.28.54.2.  The situation is the same for any node in 10.0.0.0/24
trying
>> to connect to 192.168.1.1.
>>
>> Except the endpoint, from amy node I can reach any node on the other
side.
>>  There''s no message in my log file that I come here seeking
for help.
>>
>> Did I miss anything?
>>
>
>No -- that''s the way a subnet-subnet tunnel works.
>
Well, I''m trying to do the same, but I can''t get anything
through the
tunnel.
I have followed the instruction in the above mentionned document with
little changes to match my test network.

Here is my setup:

  Left-side:
    subnet: 192.168.3.0/24
    firewall:=20
      eth1: 192.168.3.1  (local subnet - loc zone)
      eth0: 192.168.1.12 (internet     - net zone)

  Right-side:
    subnet: 192.168.2.0/24
    firewall:
      eth1: 192.168.2.1  (local subnet - loc zone)
      eth0: 192.168.1.11 (internet     - net zone)

Note: the norfc1918 option is removed from the eth0 entry in both
interface definitions.
Note2: there is also a router with a real internet connection at
192.168.1.1

Both firewalls are working ok, local subnets can access the net zone,
etc.


I have followed every step in the document carefully (except for the
IPs).
The IPsec handshaking is ok, they both reach states ''ISAKMP SA
established'' & ''IPsec SA established'' (and I can
see isakmp exchanges
when sniffing the traffic on the net zone).
Unfortunately, I can''t get any trafic through the VPN: a ''ping
192.168.2.50'' from the left doesn''t work (I can''t
even see any trafic
between the two firewalls on the net zone!).


Here is the output of ''ip route'' on the LEFT system (same on
the right):

  192.168.3.0/24 dev eth1  proto kernel  scope link  src 192.168.3.1=20
  192.168.2.0/24 via 192.168.1.11 dev ipsec0=20
  192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.12=20
  192.168.1.0/24 dev ipsec0  proto kernel  scope link  src 192.168.1.12=20
  default via 192.168.1.1 dev eth0=20

(line 4 looks a bit strange to me)


Here is a sample of my ipsec.conf:

  conn sample
    # Left security gateway, subnet behind it, next hop toward right.
    left=3D192.168.1.12
    leftsubnet=3D192.168.3.0/24
    leftnexthop=3D192.168.1.1
    # Right security gateway, subnet behind it, next hop toward left.
    right=3D192.168.1.11
    rightsubnet=3D192.168.2.0/24
    rightnexthop=3D192.168.1.1

(I''m not sure about the next hops in my situation)


It''s three days now I''m reading all docs and FAQ, but
can''t find the
solution...
Would be very nice if someone could give me some advices.
Thanks.

-bertrand

--On Friday, December 20, 2002 10:54:55 PM +0100 Bertrand Renuart 
<bertrand.renuart@itma.lu> wrote:
> I have followed the instruction in the above mentionned document with
> little changes to match my test network.
>
> Here is my setup:
>
>   Left-side:
>     subnet: 192.168.3.0/24
>     firewall:
>       eth1: 192.168.3.1  (local subnet - loc zone)
>       eth0: 192.168.1.12 (internet     - net zone)
>
>   Right-side:
>     subnet: 192.168.2.0/24
>     firewall:
>       eth1: 192.168.2.1  (local subnet - loc zone)
>       eth0: 192.168.1.11 (internet     - net zone)
>
> Note: the norfc1918 option is removed from the eth0 entry in both
> interface definitions.
> Note2: there is also a router with a real internet connection at
> 192.168.1.1
>
> Both firewalls are working ok, local subnets can access the net zone,
> etc.
>
>
> I have followed every step in the document carefully (except for the
> IPs).
> The IPsec handshaking is ok, they both reach states ''ISAKMP SA
> established'' & ''IPsec SA established'' (and I
can see isakmp exchanges
> when sniffing the traffic on the net zone).
> Unfortunately, I can''t get any trafic through the VPN: a
''ping
> 192.168.2.50'' from the left doesn''t work (I
can''t even see any trafic
> between the two firewalls on the net zone!).
>
>
> Here is the output of ''ip route'' on the LEFT system (same
on the right):
>
>   192.168.3.0/24 dev eth1  proto kernel  scope link  src 192.168.3.1
>   192.168.2.0/24 via 192.168.1.11 dev ipsec0
>   192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.12
>   192.168.1.0/24 dev ipsec0  proto kernel  scope link  src 192.168.1.12
>   default via 192.168.1.1 dev eth0
Do the systems in the 192.168.2.0/24 and 192.168.3.0/24 have their default 
routes set up properly (e.g., to 192.168.2.1 and 192.168.3.1 respectively)?
>
> (line 4 looks a bit strange to me)
It''s ok since it''s masked by the route in front of it.
>
>
> Here is a sample of my ipsec.conf:
>
>   conn sample
>     # Left security gateway, subnet behind it, next hop toward right.
>     left=192.168.1.12
>     leftsubnet=192.168.3.0/24
>     leftnexthop=192.168.1.1
>     # Right security gateway, subnet behind it, next hop toward left.
>     right=192.168.1.11
>     rightsubnet=192.168.2.0/24
>     rightnexthop=192.168.1.1
>
> (I''m not sure about the next hops in my situation)
>
I would set leftnexthop to 192.168.1.11 and rightnexthop to 192.168.1.12.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Friday, December 20, 2002 02:04:03 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>
>
> --On Friday, December 20, 2002 10:54:55 PM +0100 Bertrand Renuart
> <bertrand.renuart@itma.lu> wrote:
>>
>> Both firewalls are working ok, local subnets can access the net zone,
>> etc.
>>
Missed that the first time -- most likely indicates that the routing in the 
local subnets is correct.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

> -----Original Message-----
> From: shorewall-users-admin@shorewall.net 
> [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep
> 
> --On Friday, December 20, 2002 02:04:03 PM -0800 Tom Eastep 
> <teastep@shorewall.net> wrote:
> 
> > --On Friday, December 20, 2002 10:54:55 PM +0100 Bertrand Renuart 
> > <bertrand.renuart@itma.lu> wrote:
> >>
> >> Both firewalls are working ok, local subnets can access the net
zone, 
> >> etc.
> >>
> 
> Missed that the first time -- most likely indicates that the 
> routing in the 
> local subnets is correct.
> 
> -Tom
Well, I got it... You won''t believe me (or maybe you will ;-)

I was pinging 192.168.3.50 from 192.168.2.50, but 2.50 wasn''t
powered-on...
I knew it, but I was expecting some trafic on the net-zone, through the
VPN, and of course no answers to my pings.
As I couldn''t see any trafic, I thought the VPN wasn''t working
properly.

If I start the target machine (3.50), then suddently I see packets
flowing in the net zone, and I have the answers...

Can you understand this ?

-bertrand

--On Friday, December 20, 2002 11:35:44 PM +0100 Bertrand Renuart 
<bertrand.renuart@itma.lu> wrote:
>
> Well, I got it... You won''t believe me (or maybe you will ;-)
>
> I was pinging 192.168.3.50 from 192.168.2.50, but 2.50 wasn''t
> powered-on...
I assume 3.50 wasn''t powered on; I would assume that you would have
noticed
if 2.50 didn''t have power :-)
> I knew it, but I was expecting some trafic on the net-zone, through the
> VPN, and of course no answers to my pings.
> As I couldn''t see any trafic, I thought the VPN wasn''t
working properly.
>
> If I start the target machine (3.50), then suddently I see packets
> flowing in the net zone, and I have the answers...
>
> Can you understand this ?
How were you looking for packet traffic?

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

> -----Original Message-----
> From: Tom Eastep [mailto:teastep@shorewall.net] 
> > I knew it, but I was expecting some trafic on the net-zone, through
the
> > VPN, and of course no answers to my pings.
> > As I couldn''t see any trafic, I thought the VPN
wasn''t working
properly.
> >
> > If I start the target machine (3.50), then suddently I see packets
> > flowing in the net zone, and I have the answers...
> >
> > Can you understand this ?
> 
> How were you looking for packet traffic?
> 
With TCPDUMP on the 192.168.1.0/24 network (net zone).

To tell you the truth... I''m ever more confused than before.
I got it working in both directions after having switch-on all machines.
Then I have saved the configuration of both firewalls (leaf) and restart
them.

After they have rebooted, the handshaking is till ok, but:
- a left host (not the fw) cannot ping a right host (not the right fw)
anymore;
- idem in the other direction
BUT
- left host can ping the internal interface of right fw
- right host can ping the internal interface of left fw

That''s the only thing that still works ;?!??

(just wondering if I shouldn''t go to sleep for a while)

-bertrand

--On Saturday, December 21, 2002 01:07:29 AM +0100 Bertrand Renuart 
<bertrand.renuart@itma.lu> wrote:

>
> With TCPDUMP on the 192.168.1.0/24 network (net zone).
tcpdump can have strange effects on IPSEC tunnels -- it can actually stop 
them from working!
>
> To tell you the truth... I''m ever more confused than before.
> I got it working in both directions after having switch-on all machines.
> Then I have saved the configuration of both firewalls (leaf) and restart
> them.
>
> After they have rebooted, the handshaking is till ok, but:
> - a left host (not the fw) cannot ping a right host (not the right fw)
> anymore;
> - idem in the other direction
> BUT
> - left host can ping the internal interface of right fw
> - right host can ping the internal interface of left fw
>
> That''s the only thing that still works ;?!??
>
> (just wondering if I shouldn''t go to sleep for a while)
By my watch, it is after 1 AM in Luxembourg so that might be a wise thing 
to do :-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

--On Saturday, December 21, 2002 01:07:29 AM +0100 Bertrand Renuart 
<bertrand.renuart@itma.lu> wrote:
>
> After they have rebooted, the handshaking is till ok, but:
> - a left host (not the fw) cannot ping a right host (not the right fw)
> anymore;
> - idem in the other direction
> BUT
> - left host can ping the internal interface of right fw
> - right host can ping the internal interface of left fw
>
> That''s the only thing that still works ;?!??
>
That sounds like you have your tunnels configured as host->subnet rather 
than subnet->subnet.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net

> 
> --On Saturday, December 21, 2002 01:07:29 AM +0100 Bertrand Renuart 
> <bertrand.renuart@itma.lu> wrote:
> 
> >
> > After they have rebooted, the handshaking is till ok, but:
> > - a left host (not the fw) cannot ping a right host (not 
> the right fw)
> > anymore;
> > - idem in the other direction
> > BUT
> > - left host can ping the internal interface of right fw
> > - right host can ping the internal interface of left fw
> >
> > That''s the only thing that still works ;?!??
> >
> 
> That sounds like you have your tunnels configured as 
> host->subnet rather 
> than subnet->subnet.
> 
Well, my IPSEC config is exactly (as far as I can see) the one described
at http://jixen.tripod.com/#Subnet-to-Subnet
While my shorewall config is the one you described in your section
''IPSec Gateway on the Firewall System ''...

> 
> --On Saturday, December 21, 2002 01:07:29 AM +0100 Bertrand Renuart 
> <bertrand.renuart@itma.lu> wrote:
> 
> >
> > After they have rebooted, the handshaking is till ok, but:
> > - a left host (not the fw) cannot ping a right host (not 
> the right fw)
> > anymore;
> > - idem in the other direction
> > BUT
> > - left host can ping the internal interface of right fw
> > - right host can ping the internal interface of left fw
> >
> > That''s the only thing that still works ;?!??
> >
> 
> That sounds like you have your tunnels configured as 
> host->subnet rather 
> than subnet->subnet.
> 
BTW, I don''t have any trace of packets dropped/rejected in the firewall
logs...

--On Saturday, December 21, 2002 01:22:43 AM +0100 Bertrand Renuart 
<bertrand.renuart@itma.lu> wrote:
>>
>
> Well, my IPSEC config is exactly (as far as I can see) the one described
> at http://jixen.tripod.com/#Subnet-to-Subnet
> While my shorewall config is the one you described in your section
> ''IPSec Gateway on the Firewall System ''...
>
I can only repeat what I told the other poster earlier -- it has been my 
experience that with properly configured subnet->subnet tunnels, it is not 
possible to ping the remote firewall''s internal interface.

I don''t have an IPSEC tunnel to test with any more so I''m
going from
memory. I''ll dispatch my ipsec.conf file to you by private post so you
can
see what I did.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net