This is probably getting tiresome for most at this point, but I''m Yet Another Shorewall User Trying to get VPN SW To Work. I''ve kept up with the previous discussions on the subject (I think), and tried to do what was suggested, but still no joy. Since my IT dept claims that the Linux VPN client is unsupported, I thought I''d ask here for some hints. I have a masqueraded client behind shorewall running Nortel''s netlock VPN client. I have the following in shorewall/rules: DNAT net:<VPN SERVER> lan:192.168.1.3 50 DNAT net:<VPN SERVER> lan:192.168.1.3 51 DNAT net:<VPN SERVER> lan:192.168.1.3 udp 500 (net is the external eth0 interface, with dhcp,norfc1918,blacklist as options. lan is the internal interface and 192.168.1.3 is the client) I see, according to the client GUI, a successful login to the server, but then I get a message indicating that ''negotiation with the remote server failed''. For grins, I ran "tcpdump ip host <VPN SERVER>" on the shorewall and the client. I''m no tcpdump expert (in fact, this is the first time I''ve used it), but it did show me that the udp forwarding worked OK (I see the same activity on the client as the shorewall box). I didn''t see any other activity. I _believe_ that the shorewall rules are correct. I''m wondering what my next step should be (other than giving up and having a cry). Any suggestions would be appreciated. Thanks in advance, John A.
> -----Original Message----- > From: John Affleck [mailto:jaffleck+shorewall@oddment.net] > Sent: Wednesday, September 25, 2002 11:06 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] More VPN questions/trouble.. > > > This is probably getting tiresome for most at this point, but I''m Yet > Another Shorewall User Trying to get VPN SW To Work. I''ve kept up > with the previous discussions on the subject (I think), and tried to > do what was suggested, but still no joy. Since my IT dept claims that > the Linux VPN client is unsupported, I thought I''d ask here for some > hints. > > I have a masqueraded client behind shorewall running Nortel''s netlock > VPN client. I have the following in shorewall/rules: > > DNAT net:<VPN SERVER> lan:192.168.1.3 50 > DNAT net:<VPN SERVER> lan:192.168.1.3 51 > DNAT net:<VPN SERVER> lan:192.168.1.3 udp 500 > > (net is the external eth0 interface, with dhcp,norfc1918,blacklist as > options. lan is the internal interface and 192.168.1.3 is the client) > > I see, according to the client GUI, a successful login to the server, > but then I get a message indicating that ''negotiation with the remote > server failed''. For grins, I ran "tcpdump ip host <VPN SERVER>" on > the shorewall and the client. I''m no tcpdump expert (in fact, this is > the first time I''ve used it), but it did show me that the udp > forwarding worked OK (I see the same activity on the client as the > shorewall box). I didn''t see any other activity. > > I _believe_ that the shorewall rules are correct. I''m wondering what > my next step should be (other than giving up and having a cry). Any > suggestions would be appreciated. > > Thanks in advance,Does your Nortel netlock VPN client use AH protocol? If so, then based on my understanding, this protocol cannot be successfully masqueraded behind any linux based firewall.>From the VPN website:http://www.impsec.org/linux/masquerade/ip_masq_vpn.html The IPsec AH protocol (51/ip) incorporates a cryptographic checksum including the IP addresses in the IP header. Since masquerading changes those IP addresses and since the cryptographic checksum cannot be recalculated by the masquerading firewall, the masqueraded packets will fail the checksum test and will be discarded by the remote IPsec gateway. Therefore, IPsec VPNs that use the AH protocol cannot be successfully masqueraded. Sorry. (ESP with authentication can be masqueraded. IPsec AH protocol reference http://asg.web.cmu.edu/rfc/rfc2402.html
On Wed, Sep 25, 2002 at 12:55:08PM -0500, Cowles, Steve wrote:> Does your Nortel netlock VPN client use AH protocol? If so, then based on my > understanding, this protocol cannot be successfully masqueraded behind any > linux based firewall.Yoiks. That''s a scary thought. It certainly looks that way (they require the port to be open at least). But they also claim that it will work behind some NAT''ing routers (SMC, D-Link) which suggests that it is possible. Actually, it appears that AH is not used. Or at least it''s capable of not being used. The negotiation log indicates "AH: ALGOR_OFF", which is hopeful. Thanks for the help, John A.
John Affleck wrote:> On Wed, Sep 25, 2002 at 12:55:08PM -0500, Cowles, Steve wrote: > >>Does your Nortel netlock VPN client use AH protocol? If so, then based on my >>understanding, this protocol cannot be successfully masqueraded behind any >>linux based firewall. > > > Yoiks. That''s a scary thought. It certainly looks that way (they > require the port to be open at least). But they also claim that it > will work behind some NAT''ing routers (SMC, D-Link) which suggests > that it is possible. > > Actually, it appears that AH is not used. Or at least it''s capable of > not being used. The negotiation log indicates "AH: ALGOR_OFF", which > is hopeful. >Your Shorewall rules looked Ok (with the exception of the Protocol 51 rule which is unnecessary -- that''s AH). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
On Wed, Sep 25, 2002 at 01:17:53PM -0700, Tom Eastep wrote:> Your Shorewall rules looked Ok (with the exception of the Protocol 51 rule > which is unnecessary -- that''s AH).OK. I found the problem. It was the fact that I''m an idiot. I spent the better part of two days upgrading this, patching that and twiddling the other only to discover that my PIN was two digits longer than I thought it was. Sigh. John A.
John Affleck wrote:> On Wed, Sep 25, 2002 at 01:17:53PM -0700, Tom Eastep wrote: > >>Your Shorewall rules looked Ok (with the exception of the Protocol 51 rule >>which is unnecessary -- that''s AH). > > > OK. I found the problem. It was the fact that I''m an idiot.That''s a problem that I often have :-) -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net