Shorewall users - Dec 2002 - VPN problems (continued)

Previously I reported problems connecting via Nortel/Netlock VPN client
to a remote network. I have now managed to ping remote machines, but not
telnet to them when I have Shorewall running. Thus I assume there are no
routing problems.

However, it appears that I must be doing something wrong in my
configuration as if I do a "shorewall clear" I can use my VPN
correctly
and telnet onto remote machines.

To find out what I am doing wrong I have set my "policy" drop/reject
lines to give information, but when I try to repeat the telnet operation
I see no report of packets being dropped/rejected.

Here''s my policy file:

# outgoing 
fw      net     ACCEPT 
fw      vpn     ACCEPT
#
# incoming
vpn     fw      ACCEPT  
net     fw      ACCEPT  
#
# defaults
net     all     DROP    info
all     all     REJECT  info
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

The rules file has everything commented out.


VPN is defined in the tunnels file as the remote gateway:

ipsec           net    xx.yy.zz.n   vpn

Zones file:
#ZONE   DISPLAY         COMMENTS
net     Net     Internet zone
loc     Local   Local networks
vpn     VPN     Remote subnet

interfaces file:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     ppp0    -
loc     eth0    detect
vpn     nlv0    -


To check that there''s nothing wrong with my configuration I ran
"shorewall debug start 2> sw.log, but could not see any warnings from
iptables.

I also have LOGRATE and LOGBURST set to null in the .conf file.

I have had a quick peek at the packets with ethereal and I an see ESP
and ISAKMP packets going in and out, but still no telnet session.

Would anyone care to tell me what I am doing wrong?

Thanks,
Bill.

--On Wednesday, December 18, 2002 10:12:48 PM +0000 Bill Corr 
<bill.corr@btinternet.com> wrote:
> Previously I reported problems connecting via Nortel/Netlock VPN client
> to a remote network. I have now managed to ping remote machines, but not
> telnet to them when I have Shorewall running. Thus I assume there are no
> routing problems.
>
> However, it appears that I must be doing something wrong in my
> configuration as if I do a "shorewall clear" I can use my VPN
correctly
> and telnet onto remote machines.
Apparently we get to guess where you are telnetting from. Firewall, Local 
Zone, your friends house down the street???
>
> To find out what I am doing wrong I have set my "policy"
drop/reject
> lines to give information, but when I try to repeat the telnet operation
> I see no report of packets being dropped/rejected.
>
> Here''s my policy file:
>
># outgoing
> fw      net     ACCEPT
> fw      vpn     ACCEPT
>#
># incoming
> vpn     fw      ACCEPT
> net     fw      ACCEPT
Now there is an open door policy if I ever saw one!!! Why have a firewall?
>#
># defaults
> net     all     DROP    info
> all     all     REJECT  info
I notice that you don''t allow any traffic between vpn and loc -- is
that
intentional?

>#
># LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> The rules file has everything commented out.
>
>
> VPN is defined in the tunnels file as the remote gateway:
>
> ipsec           net    xx.yy.zz.n   vpn
>
> Zones file:
># ZONE   DISPLAY         COMMENTS
> net     Net     Internet zone
> loc     Local   Local networks
> vpn     VPN     Remote subnet
>
> interfaces file:
># ZONE    INTERFACE      BROADCAST       OPTIONS
> net     ppp0    -
> loc     eth0    detect
> vpn     nlv0    -
>
>
> To check that there''s nothing wrong with my configuration I ran
> "shorewall debug start 2> sw.log, but could not see any warnings
from
> iptables.
>
> I also have LOGRATE and LOGBURST set to null in the .conf file.
>
> I have had a quick peek at the packets with ethereal and I an see ESP
> and ISAKMP packets going in and out, but still no telnet session.
>
> Would anyone care to tell me what I am doing wrong?
>
We can come closer if you tell us where you are trying to run the telnet 
client.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://shorewall.sf.net
Washington USA \ teastep@shorewall.net