William Suetholz
2002-Feb-28 21:31 UTC
[Shorewall-users] Problem with FreeSwan and Shorewall on a LEAF(Oxygen) based router.
Hello, I seem to have the Freeswan IPSEC tunnel working between my two sites, but I am still having a problem that looks to be because of something I have configured wrong in my shorewall setup.. I have a LEAF Oxygen < 1.9 heavily modifed firewall setup.. Using FreeSwan 1.91, and Kernel 2.4.8. Modified to use IPTables and standard Debian network/interfaces. I am also using Shorewall 1.1.11. I tried upgrading to a newer version of Shorewall, and things broke completely... The shell scripts do some things that BB ash doesn''t like too much. On the other end, I have an identical setup, with the shorewall rules simplified, since they don''t have the DMZ, and some of our other zones. They do however do IP Masq, where we actually have a Class C assigned to us (What can I say, I got it before they locked down :-) I believe that the masking is where my problem is.. The tunnel looks good when running the ipsec look command on both sides. When I ping/telnet to a "unrouted" IP for a machine on the other end, I see the ifconfig -ni RX-OK go up on the ipsec0 interface, and the TX-DROP also go up.. I''ve looked for what causes this, all I can come up with, is that the Masking is happening before it sends the traffic out the ipsec0 interface back to our location.. I see the same thing happen on our side if I try to ping from our router to their address (the TX-DROP increments. I tried the suggestions on the http://www.shorewall.net/IPSEC.htm page, but that didn''t work. Thanks for any help, sorry if the cross posts offend anybody.. Bill Suetholz
Tom Eastep
2002-Feb-28 21:41 UTC
[Shorewall-users] Problem with FreeSwan and Shorewall on a LEAF(Oxygen) based router.
Bill,> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > William Suetholz > Sent: Thursday, February 28, 2002 1:32 PM > To: shorewall-users@shorewall.net > Cc: wsuetholz@centonline.com; users@lists.freeswan.org; > leaf-user@lists.sourceforge.net > Subject: [Shorewall-users] Problem with FreeSwan and > Shorewall on a LEAF(Oxygen) based router. > > I am also using Shorewall 1.1.11. > I tried upgrading to a newer version of Shorewall, and things broke > completely... The shell scripts do some things that BB ash doesn''t > like too much.If you don''t report this type of problem, I can''t fix it...> > On the other end, I have an identical setup, with the > shorewall rules > simplified, since they don''t have the DMZ, and some of our > other zones. > They do however do IP Masq, where we actually have a Class C assigned > to us (What can I say, I got it before they locked down :-) > I believe that > the masking is where my problem is..Without some idea of what your Shorewall configuration looks like, I have no clue what to advise...> > The tunnel looks good when running the ipsec look command on both > sides. When I ping/telnet to a "unrouted" IP for a machine > on the other > end, I see the ifconfig -ni RX-OK go up on the ipsec0 > interface, and the > TX-DROP also go up.. I''ve looked for what causes this, all I can come > up with, is that the Masking is happening before it sends the > traffic out > the ipsec0 interface back to our location.. I see the same > thing happen > on our side if I try to ping from our router to their address > (the TX-DROP > increments. > > I tried the suggestions on the > http://www.shorewall.net/IPSEC.htm page, > but that didn''t > work.Did you look at http://www.shorewall.net/myfiles.htm#old? That configuration includes a running IPSEC environment. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep
2002-Feb-28 21:49 UTC
[Shorewall-users] Problem with FreeSwan and Shorewall on a LEAF(Oxygen) based router.
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Tom Eastep > Sent: Thursday, February 28, 2002 1:41 PM > To: ''William Suetholz''; shorewall-users@shorewall.net > Cc: users@lists.freeswan.org; leaf-user@lists.sourceforge.net > Subject: RE: [Shorewall-users] Problem with FreeSwan and > Shorewall on a LEAF(Oxygen) based router. > > > Bill, > > > -----Original Message----- > > From: shorewall-users-admin@shorewall.net > > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > > William Suetholz > > Sent: Thursday, February 28, 2002 1:32 PM > > To: shorewall-users@shorewall.net > > Cc: wsuetholz@centonline.com; users@lists.freeswan.org; > > leaf-user@lists.sourceforge.net > > Subject: [Shorewall-users] Problem with FreeSwan and > > Shorewall on a LEAF(Oxygen) based router. > > > > I am also using Shorewall 1.1.11. > > I tried upgrading to a newer version of Shorewall, and things broke > > completely... The shell scripts do some things that BB ash doesn''t > > like too much. > > If you don''t report this type of problem, I can''t fix it...There is also a corrected version of ash for LEAF available on my web site.. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net