Shorewall users - Jan 2002 - IpSec problem from local box to company server

I have a problem with my IpSec tunnels. They work for a few minutes and then
die.  My firewall is running shorewall 1.2.2.  The connection to the net is via
ppp0 dial. The local network interface is eth0 which connects to a LinkSys
10/100 switch. Most of the systems in the house are for personal use and
don''t use IpSec. They all work just fine.

The work system is a Thinkpad running Win98-SE and a Nortell Extranet IpSec
client.  This all worked without a problem while I was using an older Linux
kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel and
shorewall the IpSec problem started.

The message log shows an incomming udp packet rejected at ablut the same time as
the tunnel failure.  See below:

Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=192.128.133.43 DST=32.226.176.107
LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP SPT=500 DPT=500 LEN=84
Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=192.128.133.43 DST=32.226.176.107
LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84
.... and many more ...

I have not placed any entries in the /etc/shorewall/tunnels file because it
looked to me like that was to define tunnels with endpoints on the firewall
system.  All my tunnels should be masked from local through the firewall to a
company server somewhere in the ether.

I would greatly appreciate any pointers - i.e., what am I doing wrong???

Les Hazelton

Les,

On Wednesday 09 January 2002 12:39 pm, Les Hazelton
wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects to
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don''t use IpSec. They all work just fine.
>
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet IpSec
> client.  This all worked without a problem while I was using an older Linux
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
>
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure.  See below:
>
> Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D SRC=3D192.128.133.43
> DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0x00 TTL=3D55 ID=3D21414
PROTO=3DUDP
> SPT=3D500 DPT=3D500 LEN=3D84 Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D
> SRC=3D192.128.133.43 DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0x00
TTL=3D55
> ID=3D25250 PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84 .... and many more
=2E..
>
> I have not placed any entries in the /etc/shorewall/tunnels file because it
> looked to me like that was to define tunnels with endpoints on the firewall
> system.  All my tunnels should be masked from local through the firewall to
> a company server somewhere in the ether.
>
> I would greatly appreciate any pointers - i.e., what am I doing wrong???
I would try adding a couple of rules:

ACCEPT=09net 192.128.133.43=09loc:<thinkpad ip>=0950=09-=09-=09all
ACCEPT=09net 192.128.133.43=09loc:<thinkpad ip>=09udp=09500=090=09all

See if that helps.
-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------

WOW! Talk about fast responce.  Thanks Tom.  I am testing it now.  I should
know in a few minutes.  I scanned more of my logs and found several
addresses in the 192.128. net in the reject messages.  I am sure it is a
server farm.

I entered the rules as;

ACCEPT net:192.128.0.0/16  loc:192.168.0.5 ....

Thanks for the help - greatly appreciated.

Les Hazelton

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Les Hazelton" <seawolf@attglobal.net>;
<shorewall-users@shorewall.net>
Sent: Wednesday, January 09, 2002 3:46 PM
Subject: Re: [Shorewall-users] IpSec problem from local box to company
server


Les,

On Wednesday 09 January 2002 12:39 pm, Les Hazelton
wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects
to
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don''t use IpSec. They all work just fine.
>
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet
IpSec
> client.  This all worked without a problem while I was using an older
Linux
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
>
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure.  See below:
>
> Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=192.128.133.43
> DST=32.226.176.107 LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP
> SPT=500 DPT=500 LEN=84 Shorewall:net2all:DROP:IN=ppp0 OUT= MAC>
SRC=192.128.133.43 DST=32.226.176.107 LEN=104 TOS=0x00 PREC=0x00 TTL=55
> ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84 .... and many more ...
>
> I have not placed any entries in the /etc/shorewall/tunnels file because
it
> looked to me like that was to define tunnels with endpoints on the
firewall
> system.  All my tunnels should be masked from local through the firewall
to
> a company server somewhere in the ether.
>
> I would greatly appreciate any pointers - i.e., what am I doing wrong???
I would try adding a couple of rules:

ACCEPT net 192.128.133.43 loc:<thinkpad ip> 50 - - all
ACCEPT net 192.128.133.43 loc:<thinkpad ip> udp 500 0 all

See if that helps.
-Tom
--
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users