Shorewall users - Apr 2002 - Need help with IPSEC, net view and shorewall

I am relative new to shorewall and trying to setup a VPN to give a road 
warrior access to my lan. The lan (192.168.1.0/24) and a DMZ 
(192.168.10.0/24) are connected through  a linux-box running shorewall to 
the internet. I used a shorewall-setup similar to the author''s old
setup.


Here are my configs:

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    x.x.x.x          norfc1918
loc     tr0        192.168.1.255          routestopped
dmz     eth1   192.168.10.255        routestopped
loc	ipsec0

zones:
net	Net		Internet
loc	Local	Local Networks
dmz	DMZ	Demilitarized zone

masq:
#INTERFACE              SUBNET          ADDRESS
eth0                    192.168.1.0/24
eth0                    192.168.10.0/24

policy:
#CLIENT         SERVER          POLICY          LOG LEVEL
loc	loc		ACCEPT
loc	net		ACCEPT
fw              loc             ACCEPT
net             all             DROP            info
all             all             REJECT          info

tunnels:
ipsec	net		0.0.0.0/0

There are no special rules set.

The tunnel is up and running fine, I can ping to 192.168.1.10 from the 
XP-Box. When I try to do a "net view \\192.168.1.10" there, I get a 
systemerror 53 networkpath not found.
I don''t see any "Shorewall" messages in the logs.

Do you have any idea whats going wrong here?

Regards
Alois

--On Donnerstag, 4. April 2002 23:37 +0200 Alois Schneider 
<alois@sillian.com> wrote:
> The tunnel is up and running fine, I can ping to 192.168.1.10 from the
> XP-Box. When I try to do a "net view \\192.168.1.10" there, I get
a
> systemerror 53 networkpath not found. I don''t see any
"Shorewall"
> messages in the logs.
>
I finally found the error: WinXP has the following default-setup in
DUN:  Client for MS networks -> disabled and NetBios over TCP/IP ->
deactivated After correcting these settings it works.

But now, there is another problem: after some time of inactivity, the 
tunnel stops working. If I restart ipsec, the tunnel works again.

On the mailing list Tom Eastep wrote the following on Feb.
16:
> You need UDP port 500 and protocols 51 and 51 open to this user''s
> system. After a period of inactivity, either end of a VPN tunnel can
> suddenly become active; if iptables connection tracking has timed out
> the connection and the remote end is the first to speak, you will see
> problems like you describe.
Where do I have to open UDP port 500 and protocols 51?

Thank you for your help

Alois

On Fri, 5 Apr 2002, Alois Schneider wrote:
> > You need UDP port 500 and protocols 51 and 51 open to this
user''s
> > system. After a period of inactivity, either end of a VPN tunnel can
> > suddenly become active; if iptables connection tracking has timed out
> > the connection and the remote end is the first to speak, you will see
> > problems like you describe.
>
> Where do I have to open UDP port 500 and protocols 51?
>
In the rules file.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--On Freitag, 5. April 2002 12:55 -0800 Tom Eastep <teastep@shorewall.net>
wrote:
> On Fri, 5 Apr 2002, Alois Schneider wrote:
>
>> > You need UDP port 500 and protocols 51 and 51 open to this
user''s
>> > system. After a period of inactivity, either end of a VPN tunnel
can
>> > suddenly become active; if iptables connection tracking has timed
out
>> > the connection and the remote end is the first to speak, you will
see
>> > problems like you describe.
>>
>> Where do I have to open UDP port 500 and protocols 51?
>>
>
> In the rules file.
>
I have the following configuration:

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    x.x.x.x          norfc1918
loc     tr0        192.168.1.255          routestopped
dmz     eth1   192.168.10.255        routestopped
loc	ipsec0

zones:
net	Net		Internet
loc	Local	Local Networks
dmz	DMZ	Demilitarized zone

are these rules correct?
ACCEPT		loc	net		udp	500
ACCEPT		loc	net		51

or do I neede the rules the other way round?

Thank you for your help,
ALois

On Fri, 5 Apr 2002, Alois Schneider wrote:
>
>
> --On Freitag, 5. April 2002 12:55 -0800 Tom Eastep
<teastep@shorewall.net>
> wrote:
>
> > On Fri, 5 Apr 2002, Alois Schneider wrote:
> >
> >> > You need UDP port 500 and protocols 51 and 51 open to this
user''s
> >> > system. After a period of inactivity, either end of a VPN
tunnel can
> >> > suddenly become active; if iptables connection tracking has
timed out
> >> > the connection and the remote end is the first to speak, you
will see
> >> > problems like you describe.
> >>
> >> Where do I have to open UDP port 500 and protocols 51?
> >>
> >
> > In the rules file.
> >
>
> I have the following configuration:
>
> interfaces:
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     eth0    x.x.x.x          norfc1918
> loc     tr0        192.168.1.255          routestopped
> dmz     eth1   192.168.10.255        routestopped
> loc	ipsec0
>
> zones:
> net	Net		Internet
> loc	Local	Local Networks
> dmz	DMZ	Demilitarized zone
>
> are these rules correct?
> ACCEPT		loc	net		udp	500
> ACCEPT		loc	net		51
>
> or do I neede the rules the other way round?
>
Assuming that your loc->net policy is ACCEPT, you need the rules the other
way around.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

--On Freitag, 5. April 2002 13:56 -0800 Tom Eastep <teastep@shorewall.net>
wrote:
> On Fri, 5 Apr 2002, Alois Schneider wrote:
>
>>
>>
>> --On Freitag, 5. April 2002 12:55 -0800 Tom Eastep
>> <teastep@shorewall.net> wrote:
>>
>> > On Fri, 5 Apr 2002, Alois Schneider wrote:
>> >
>> >> > You need UDP port 500 and protocols 51 and 51 open to
this user''s
>> >> > system. After a period of inactivity, either end of a VPN
tunnel can
>> >> > suddenly become active; if iptables connection tracking
has timed
>> >> > out the connection and the remote end is the first to
speak, you
>> >> > will see problems like you describe.
>> >>
>> >> Where do I have to open UDP port 500 and protocols 51?
>> >>
>> >
>> > In the rules file.
>> >
>>
>> I have the following configuration:
>>
>> interfaces:
>> # ZONE    INTERFACE      BROADCAST       OPTIONS
>> net     eth0    x.x.x.x          norfc1918
>> loc     tr0        192.168.1.255          routestopped
>> dmz     eth1   192.168.10.255        routestopped
>> loc	ipsec0
>>
>> zones:
>> net	Net		Internet
>> loc	Local	Local Networks
>> dmz	DMZ	Demilitarized zone
>>
>> are these rules correct?
>> ACCEPT		loc	net		udp	500
>> ACCEPT		loc	net		51
>>
>> or do I neede the rules the other way round?
>>
>
> Assuming that your loc->net policy is ACCEPT, you need the rules the
other
> way around.
>
Ok, I added the rules *) but the problem still exists. After some time of 
inactivity I cannot ping across the tunnel and get the following errors:

*) ACCEPT		net	loc		udp	500
   ACCEPT		net	loc		51
and
loc	net		ACCEPT in policy



Shorewall:all2all:REJECT:IN= OUT=ipsec0 SRC=x.x.x.x DST=y.y.y.y LEN=328 
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=308
Pluto[15685]: "Alois" y.y.y.y #3: responding to Quick Mode
Pluto[15685]: ERROR; "Alois" y.y.y.y #3: sendto y.y.y.y:500 failed in 
STATE_QUICK_R0. Errno1: Operation not permitted
Pluto[15685]: "Alois" y.y.y.y #3: ERROR: asynchronous network error
report
on eth0 for message to y.y.y.y port 500, complainant x.x.x.x: Connection 
refused
Pluto[15685]: "Alois" y.y.y.y #3: discarding duplicate packet;
allready
STATE_QUICK_R1

Thank you for your help,
Alois

On Sat, 6 Apr 2002, Alois Schneider wrote:
>
> Ok, I added the rules *) but the problem still exists. After some time of
> inactivity I cannot ping across the tunnel and get the following errors:
>
> *) ACCEPT		net	loc		udp	500
>    ACCEPT		net	loc		51
> and
> loc	net		ACCEPT in policy
>
If you are masquerading (or SNATing) your local network, you''re going
to
have to FORWARD those -- not just pass them.

ACCEPT	net	loc:<ipsec local ip>	udp	500	-	<external
ip>
ACCEPT	net	loc:<ipsec local ip>	51	-	-	<external
ip>

If you have a dynamic IP, replace <external ip> with
''all''.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net