j2
2003-Jan-11 12:53 UTC
[Shorewall-users] [SOLUTION/Summary] ..all my routing / VPN problems.
Right, time to (as someone said) put this thread to a proper rest. Some of you have probably read my VPN/Routing/Lost packages hassles in the last week, well, here is the rundown. Look at http://statler.mupp.net/shorewall/Layout.jpg Basically. The shorewall knows the route to the .224.0/24 net is through .221.221. The systems in .221.0/24 has the FW as their default gw. The FW could reach hosts in either subnet, but when hosts in either subnet tried to contact hosts in the other subnet, traffic went missing in the FW. Studies are listed at the end of the post Solution? (Thanks to Mr Eastep) Enable NEWNOTSYN in shorewall.conf, as the FW was only seing "half" the session between the subnets (Sinte traffic from .224.0/24 never passed the LOC interface of the FW, but rather injected directly into the switch), it dropped the (as it thought) erranous packages silently (This would have been seen if LOGNEWNOTSYN had been enabled in shorewall.conf. Also: I chose to do "echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects" in the startup of shorewall to prevent the FW of redirecting hosts directly to the VPN routers. This was done to be able to "enforce" policies in the FW. (Yes, users COULD add a route themselves, but that is not a big consern) ========================================================Symptoms: Not able to establish a TCP session over the VPN. ICMP works fine. Test-1: SSH from 192.168.221.202 -> 192.168.224.254 Result: SYN/ACK never reaches VPN router (192.168.221.221) (Last seen in TCP-dump of LOC-interface of FW) -------------------- Test-2: SSH from 192.168.224.254 -> 192.168.221.202 Result: ACK never reaches 192.168.221.221 (last seen in TCP-dump of LOC-interface of FW) -------------------- Test-3: Custom generated packages (pacgen 1.01) sent 192.168.221.202 -> 192.168.224.254. Tcpdump was running on: 192.168.224.254, 192.168.221.7 and on the Sniffing Brigde. See http://statler.mupp.net/shorewall/Layout.jpg Result: RST-packet: Disappears (last seen in TCP-dump of LOC-interface of FW) ACK-packet: Disappears (last seen in TCP-dump of LOC-interface of FW) FIN-packet: Disappears (last seen in TCP-dump of LOC-interface of FW) SYN-packet: OK URG-packet: OK PSH-packet: OK Test-4: SSH 192.168.221.7 -> 192.168.224.254 Result: OK ----------------------- Test-5 SSH 192.168.221.202 -> 192.168.224.254 _with_ a direct route (route add -net 192.168.224.0 netmask 255.255.255.0 gw 192.168.221.221) Result: OK -----------------------
Reasonably Related Threads
Wisdom of the Ancients
