Shorewall users - Feb 2003 - VPN Passthrough Assistance Needed

First I would like to say that Shorewall is a great product, I have not had any 
problems setting it up except for one feature.  I have multiple users that are 
on the lan side, that need to access a single VPN server on the internet. They 
are using Nortel Extranet Access client ver. 4.xx.

Here is a pic that easily explains my network, please make note that I am not 
an artist. http://www.i-hacked.com/images/vpn-network.jpg  The computers are 
labeled A-D for further explanation later.

Now let me explain my FW/Router.
I am running Mandrakesecurity SNF, on a PII 500mhz machine, with 2 10/100 nics. 
WAN nic hooks directly to the Telco Router, with a static Internet IP.  LAN 
hooks to a switch rack that distributes to all client computers.  The firewall 
is running a DHCP client (using itself as Gateway), Webproxy, DNS cache, etc..

I am quite aware that this is not a SNF support forum, however I do not feel 
that this is a SNF problem.  I was running Smoothwall previously and it had the 
exact same problem.  The problem is that *ONLY AFTER A REBOOT OF FIREWALL* Only 
1 machine can make a VPN connection to the internet.  After that one machine 
connects, none of the other machines can connect to the vpn.  When that machine 
drops connection to the VPN, the other machines can still not create a tunnel, 
but the original machine can create it again.  It will stay this way until we 
reboot the firewall.  I have checked all the logs and I do not think this is a 
Firewall Ruleset issue.  I think it has to do with the implementation of 
ip_masq_ipsec.o but I do not know linux well enough to do anything about it.  I 
have a sneaking feeling that I am just missing something obvious.

Example: We have restarted the firewall.  Computer A connects to the external 
VPN using Nortel Extranet Client.  Computer B tries to connect and gets a 
message that remote host is not responding (after a timeout period).  Computer 
C & D get the same message.  Computer A disconnects from the VPN.  Computer
B
tries to connect, gets an error message that Remote host not responding (btw: 
this machine still have other network connectivity).  Computer A tries to 
connect to the VPN again, and it works perfectly.  We then reboot the firewall, 
and have Computer B try to connect to the VPN... Sure enough, connects right 
through, however now Computers A, C, & D cannot connect.


Sorry for the long winded post, this is business critical, and I have put in 
some long, hair-tearing out hours trying to solve this problem, I am now 
resolved for asking for help.  I appreciate you taking the time to read this 
message, and any help that you can provide me.

hevnsnt@i-hacked.com wrote:
> 
> 
> Sorry for the long winded post, this is business critical, and I have put
in
> some long, hair-tearing out hours trying to solve this problem, I am now 
> resolved for asking for help.  I appreciate you taking the time to read
this
> message, and any help that you can provide me.
> 
If the Nortel client can be configured to tunnel ESP/AH through UDP port 
500 ISAKMP  (IPSec NAT), then that should solve your problem. Otherwise, 
I know of no way to connect multiple masqueraded clients to the same 
IPSEC server.

 From their web page, it doesn''t look like the Nortel client can use 
PPTP but if it can, there is a netfilter connection-tracking/nat module 
for PPTP which will allow multiple masqueraded clients to access the 
same PPTP server.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom, sorry for the personal email, I meant to send to the list..

I am pretty sure that the VPN server is configured to tunnel ESP/AH through 
UDP500..

Quoting Tom Eastep <teastep@shorewall.net>:
> hevnsnt@i-hacked.com wrote:
> 
> > 
> > 
> > Sorry for the long winded post, this is business critical, and I have
> put in 
> > some long, hair-tearing out hours trying to solve this problem, I am
> now 
> > resolved for asking for help.  I appreciate you taking the time to
> read this 
> > message, and any help that you can provide me.
> > 
> 
> If the Nortel client can be configured to tunnel ESP/AH through UDP port
> 
> 500 ISAKMP  (IPSec NAT), then that should solve your problem. Otherwise,
> 
> I know of no way to connect multiple masqueraded clients to the same 
> IPSEC server.
> 
>  From their web page, it doesn''t look like the Nortel client can
use
> PPTP but if it can, there is a netfilter connection-tracking/nat module
> 
> for PPTP which will allow multiple masqueraded clients to access the 
> same PPTP server.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
>

hevnsnt@i-hacked.com wrote:
> Tom, sorry for the personal email, I meant to send to the list..
> 
> I am pretty sure that the VPN server is configured to tunnel ESP/AH through
> UDP500..
> 
What does "shorewall show connections" look like when you have a 
connection established then?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom, I will check this tonight, We had to pull the firewall down so that our 
clients can work today..  What am I looking for?  I am pretty good at being 
pointed in a direction and finding my own solution, if I know what to look for..

Thanks for the quick help!


Quoting Tom Eastep <teastep@shorewall.net>:
> hevnsnt@i-hacked.com wrote:
> > Tom, sorry for the personal email, I meant to send to the list..
> > 
> > I am pretty sure that the VPN server is configured to tunnel ESP/AH
> through 
> > UDP500..
> > 
> 
> What does "shorewall show connections" look like when you have a 
> connection established then?
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
>

hevnsnt@i-hacked.com wrote:
> Tom, I will check this tonight, We had to pull the firewall down so that
our
> clients can work today..  What am I looking for?  I am pretty good at being
> pointed in a direction and finding my own solution, if I know what to look
for..
> 
You are looking to see if there are any other connections between the 
client and server besides isakmp.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> hevnsnt@i-hacked.com wrote:
> 
>> Tom, I will check this tonight, We had to pull the firewall down so 
>> that our clients can work today..  What am I looking for?  I am pretty 
>> good at being pointed in a direction and finding my own solution, if I 
>> know what to look for..
>>
> 
> You are looking to see if there are any other connections between the 
> client and server besides isakmp.
> 
Even if there is only an isakmp connection, it may not be possible to 
have more than one connection since both ends of the connection use port 
500. When the firewall receives a UDP packet with source ip=server, 
source port=500, destination ip=firewall external ip, destination 
port=500 it has no way to know which client to forward the packet to 
without being able to look inside the payload for identifying 
information. That again would require a connection-tracking/nat modules 
for ipsec.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

You know I just thought of something.. First check out this pic..
http://www.i-hacked.com/images/vpn-network.jpg (updated)

The telco router has some weird configuration I have never seen before, 
It translates internal ips (192.16.1.x) into external Ips (65.x.x.x).. I wonder 
if that is what is stopping me.

Like before firewall was implemented, all computers on the network 
(192.168.1.x) also had a unique corresponding external ip. (does that make 
sense?)

I wonder if this is preventing me from making so many tunnels, because at this 
point, with firewall in place, there is only "1 computer" accessing
the
internet...  Maybe some kind of "Double-Natting" is going on.. Anyone
have any
thoughts?  Anyone seen a router act like that before?


Quoting Tom Eastep <teastep@shorewall.net>:
> Tom Eastep wrote:
> > hevnsnt@i-hacked.com wrote:
> > 
> >> Tom, I will check this tonight, We had to pull the firewall down
so
> 
> >> that our clients can work today..  What am I looking for?  I am
> pretty 
> >> good at being pointed in a direction and finding my own solution,
if
> I 
> >> know what to look for..
> >>
> > 
> > You are looking to see if there are any other connections between the
> 
> > client and server besides isakmp.
> > 
> 
> Even if there is only an isakmp connection, it may not be possible to 
> have more than one connection since both ends of the connection use port
> 
> 500. When the firewall receives a UDP packet with source ip=server, 
> source port=500, destination ip=firewall external ip, destination 
> port=500 it has no way to know which client to forward the packet to 
> without being able to look inside the payload for identifying 
> information. That again would require a connection-tracking/nat modules
> 
> for ipsec.
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
>

On 19 Feb 2003 at 15:12, hevnsnt@i-hacked.com wrote:
> Maybe some kind of "Double-Natting" is
> going on.. Anyone have any thoughts?  Anyone seen a router act like
> that before?
Isn''t that sort of like what happens when shorewall does proxyarp
for several IPs aliased onto the external Nic?

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Wed, 2003-02-19 at 13:12, hevnsnt@i-hacked.com wrote:
> You know I just thought of something.. First check out this pic..
> http://www.i-hacked.com/images/vpn-network.jpg (updated)
> 
> The telco router has some weird configuration I have never seen before, 
> It translates internal ips (192.16.1.x) into external Ips (65.x.x.x).. I
wonder
> if that is what is stopping me.
hevnsnt,
Could be. Have you read about the rfc1918 settings?

http://www.shorewall.net/Documentation.htm#rfc1918

Google string: norfc1918 site:shorewall.net

-- 
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/

Yes I have, but I don''t think I got my point across effectively..  When
I got
there every computer had a static ip address, I will outline 4 examples..

192.168.1.15
192.168.1.16
192.168.1.17
192.168.1.18

If I am on computer .15 and go to www.whatismyip.com it shows 65.x.x.14
If I am on computer .16 and go to www.whatismyip.com it shows 65.x.x.15
If I am on computer .17 and go to www.whatismyip.com it shows 65.x.x.16
If I am on computer .18 and go to www.whatismyip.com it shows 65.x.x.17

So if I say, shared a folder on my ''doze machine, I could go home and
connect
to \\65.x.x.16\shared and see this folder. (I know, I didn''t set it up)
I hope
that this clears up what I was saying a little.. 

-Bill

Quoting Mike Noyes <mhnoyes@users.sourceforge.net>:
> On Wed, 2003-02-19 at 13:12, hevnsnt@i-hacked.com wrote:
> > You know I just thought of something.. First check out this pic..
> > http://www.i-hacked.com/images/vpn-network.jpg (updated)
> > 
> > The telco router has some weird configuration I have never seen
> before, 
> > It translates internal ips (192.16.1.x) into external Ips (65.x.x.x)..
> I wonder 
> > if that is what is stopping me.
> 
> hevnsnt,
> Could be. Have you read about the rfc1918 settings?
> 
> http://www.shorewall.net/Documentation.htm#rfc1918
> 
> Google string: norfc1918 site:shorewall.net
> 
> -- 
> Mike Noyes <mhnoyes @ users.sourceforge.net>
> http://sourceforge.net/users/mhnoyes/
> http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>

But your example does not address the point Mike was
trying to make... 
When your firewall is up, it may be seing 192.168.x.x traffic
on its internet-side nic (as well as its Lan-side nic).

If your router talks to the shorewall box on 192.168, and
you have norfc1918 on that interface nothing will 
get thru.  I just made this mistake a week ago.

So, that''s what Mike was asking if you had considdered.....


On 19 Feb 2003 at 15:34, hevnsnt@i-hacked.com wrote:
> Yes I have, but I don''t think I got my point across effectively.. 
> When I got there every computer had a static ip address, I will
> outline 4 examples..
> 
> 192.168.1.15
> 192.168.1.16
> 192.168.1.17
> 192.168.1.18
> 
> If I am on computer .15 and go to www.whatismyip.com it shows
> 65.x.x.14 If I am on computer .16 and go to www.whatismyip.com it
> shows 65.x.x.15 If I am on computer .17 and go to 
www.whatismyip.com
> it shows 65.x.x.16 If I am on computer .18 and go to
> www.whatismyip.com it shows 65.x.x.17
> 
> So if I say, shared a folder on my ''doze machine, I could go home 
and
> connect to \\65.x.x.16\shared and see this folder. (I know, I 
didn''t
> set it up) I hope that this clears up what I was saying a little.. 
> 
> -Bill
> 
> Quoting Mike Noyes <mhnoyes@users.sourceforge.net>:
> 
> > On Wed, 2003-02-19 at 13:12, hevnsnt@i-hacked.com wrote:
> > > You know I just thought of something.. First check out this 
pic..
> > > http://www.i-hacked.com/images/vpn-network.jpg (updated)
> > > 
> > > The telco router has some weird configuration I have never seen
> > before, 
> > > It translates internal ips (192.16.1.x) into external Ips
> > > (65.x.x.x)..
> > I wonder 
> > > if that is what is stopping me.
> > 
> > hevnsnt,
> > Could be. Have you read about the rfc1918 settings?
> > 
> > http://www.shorewall.net/Documentation.htm#rfc1918
> > 
> > Google string: norfc1918 site:shorewall.net
> > 
> > -- 
> > Mike Noyes <mhnoyes @ users.sourceforge.net>
> > http://sourceforge.net/users/mhnoyes/
> > http://leaf-project.org/  http://sitedocs.sf.net/ 
> > http://ffl.sf.net/
> > 
> > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.shorewall.net
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> 

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

Ahh.. I understand.. however, I know it is not a matter of norfc1918 (how about 
I assume it is not a matter of) because I can bring one client on a VPN 
connection works fine..  It seems as though it is a problem with ipsec not 
knowing about nat.. or something..

-Bill

Quoting "John S. Andersen" <jsa@norcomix.dyndns.org>:
> But your example does not address the point Mike was
> trying to make... 
> When your firewall is up, it may be seing 192.168.x.x traffic
> on its internet-side nic (as well as its Lan-side nic).
> 
> If your router talks to the shorewall box on 192.168, and
> you have norfc1918 on that interface nothing will 
> get thru.  I just made this mistake a week ago.
> 
> So, that''s what Mike was asking if you had considdered.....
> 
> 
> On 19 Feb 2003 at 15:34, hevnsnt@i-hacked.com wrote:
> 
> > Yes I have, but I don''t think I got my point across
effectively..
> > When I got there every computer had a static ip address, I will
> > outline 4 examples..
> > 
> > 192.168.1.15
> > 192.168.1.16
> > 192.168.1.17
> > 192.168.1.18
> > 
> > If I am on computer .15 and go to www.whatismyip.com it shows
> > 65.x.x.14 If I am on computer .16 and go to www.whatismyip.com it
> > shows 65.x.x.15 If I am on computer .17 and go to 
> www.whatismyip.com
> > it shows 65.x.x.16 If I am on computer .18 and go to
> > www.whatismyip.com it shows 65.x.x.17
> > 
> > So if I say, shared a folder on my ''doze machine, I could go
home
> and
> > connect to \\65.x.x.16\shared and see this folder. (I know, I 
> didn''t
> > set it up) I hope that this clears up what I was saying a little.. 
> > 
> > -Bill
> > 
> > Quoting Mike Noyes <mhnoyes@users.sourceforge.net>:
> > 
> > > On Wed, 2003-02-19 at 13:12, hevnsnt@i-hacked.com wrote:
> > > > You know I just thought of something.. First check out this 
> pic..
> > > > http://www.i-hacked.com/images/vpn-network.jpg (updated)
> > > > 
> > > > The telco router has some weird configuration I have never
seen
> > > before, 
> > > > It translates internal ips (192.16.1.x) into external Ips
> > > > (65.x.x.x)..
> > > I wonder 
> > > > if that is what is stopping me.
> > > 
> > > hevnsnt,
> > > Could be. Have you read about the rfc1918 settings?
> > > 
> > > http://www.shorewall.net/Documentation.htm#rfc1918
> > > 
> > > Google string: norfc1918 site:shorewall.net
> > > 
> > > -- 
> > > Mike Noyes <mhnoyes @ users.sourceforge.net>
> > > http://sourceforge.net/users/mhnoyes/
> > > http://leaf-project.org/  http://sitedocs.sf.net/ 
> > > http://ffl.sf.net/
> > > 
> > > 
> > > _______________________________________________
> > > Shorewall-users mailing list
> > > Shorewall-users@lists.shorewall.net
> > > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > > 
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.shorewall.net
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
> > 
> 
> 
> ______________________________________
> John Andersen
> NORCOM / Juneau, Alaska
> http://www.screenio.com/
> (907) 790-3386_______________________________________
> John S. Andersen
> NORCOM  mailto:JAndersen@norcomsoftware.com
> Juneau, Alaska
> http://www.screenio.com/
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>

On 19 Feb 2003 at 15:54, hevnsnt@i-hacked.com wrote:
> Ahh.. I understand.. however, I know it is not a matter of norfc1918
> (how about I assume it is not a matter of) because I can bring one
> client on a VPN connection works fine.. 
Well, that makes sense since  your firewall is only seing one IP when 
connected to the shorewall box ... That of the Shorewall''s internet 
side nic.  

I''m not sure, but it might be that proxyapr would be worth looking 
into if you have to make it appear to have multiple IPs attached to 
the router box.  

Tom has some explanation on the site about this.

______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

hevnsnt@i-hacked.com wrote:
> Ahh.. I understand.. however, I know it is not a matter of norfc1918 (how
about
> I assume it is not a matter of) because I can bring one client on a VPN 
> connection works fine..  It seems as though it is a problem with ipsec not 
> knowing about nat.. or something..
> 
I suspect that it is rather a case of your Shorewall box not knowing 
enough about ipsec to be able to track multiple connections to one IP 
address effectively.

What I would do is to also establish 1-1 NAT on your Shorewall Router in 
place of the current masq/snat. Even though there will still be "double 
NAT", it should work fine because then connection tracking of the IPSEC 
connections will work.

e.g.,

192.168.1.11->192.168.0.11
192.168.1.12->192.168.0.12
...

If you set up your NAT file and set ADD_IP_ALIASES=Yes in 
shorewall.conf, Shorewall will add all of the IP addresses for you.

You could also set up proxy arp but that would be a little trickier...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I very thankful for your assistance... However I have now just had chance to 
take a look at this problem, as others have arisen and been taken care of.  

A little background to refresh your memories:  I have a small group of 
computers that are behind a Mandrake SNF firewall. (before you say it, I 
understand this is not a SNF list) All the clients (25-30) use Nortel''s
Extranet client from the LAN side to the Wan side.  The problem I am having, is 
that only 1 machine at a time can establish a VPN connection.

Solution:  I purchased a Sonicwall (got it SUPER CHEAP, email me if you are 
interested) and got to play around to find the solution.  We experienced the 
same problem with a 1:many nat setup with it, as soon as I moved it to 1:1 all 
machines could connect.

Now my question:: (Please excuse the ignorance) How do I configure my Shorewall 
to run 1:1?  By interpreting Tom''s response below, I need to edit my
NAT file.
I have opened up /etc/Shorewall/nat, and it tells me not to edit it, therefore 
I am very leary... Could someone hold my hand?  I need to mask 
192.168.0.2/65.x.x.2|40.  1st, is /etc/Shorewall/nat the file I want to edit? 
2nd, how do I do it.  I am sorry, I am learning.. I respect and appreciate your 
knowledge, and I am working on learning.. =)

Thanks
-Bill

Quoting Tom Eastep <teastep@shorewall.net>:
> hevnsnt@i-hacked.com wrote:
> > Ahh.. I understand.. however, I know it is not a matter of norfc1918
> (how about 
> > I assume it is not a matter of) because I can bring one client on a
> VPN 
> > connection works fine..  It seems as though it is a problem with ipsec
> not 
> > knowing about nat.. or something..
> > 
> 
> I suspect that it is rather a case of your Shorewall box not knowing 
> enough about ipsec to be able to track multiple connections to one IP 
> address effectively.
> 
> What I would do is to also establish 1-1 NAT on your Shorewall Router in
> 
> place of the current masq/snat. Even though there will still be
"double
> 
> NAT", it should work fine because then connection tracking of the
IPSEC
> 
> connections will work.
> 
> e.g.,
> 
> 192.168.1.11->192.168.0.11
> 192.168.1.12->192.168.0.12
> ...
> 
> If you set up your NAT file and set ADD_IP_ALIASES=Yes in 
> shorewall.conf, Shorewall will add all of the IP addresses for you.
> 
> You could also set up proxy arp but that would be a little trickier...
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
>

--On Tuesday, February 25, 2003 08:48:01 PM -0600 hevnsnt@i-hacked.com 
wrote:
> I very thankful for your assistance... However I have now just had chance
> to  take a look at this problem, as others have arisen and been taken
> care of.
>
> A little background to refresh your memories:  I have a small group of
> computers that are behind a Mandrake SNF firewall. (before you say it, I
> understand this is not a SNF list) All the clients (25-30) use
Nortel''s
> Extranet client from the LAN side to the Wan side.  The problem I am
> having, is  that only 1 machine at a time can establish a VPN connection.
>
> Solution:  I purchased a Sonicwall (got it SUPER CHEAP, email me if you
> are  interested) and got to play around to find the solution.  We
> experienced the  same problem with a 1:many nat setup with it, as soon as
> I moved it to 1:1 all  machines could connect.
>
> Now my question:: (Please excuse the ignorance) How do I configure my
> Shorewall  to run 1:1?  By interpreting Tom''s response below, I
need to
> edit my NAT file.   I have opened up /etc/Shorewall/nat, and it tells me
> not to edit it, therefore  I am very leary... Could someone hold my hand?
> I need to mask
> 192.168.0.2/65.x.x.2|40.  1st, is /etc/Shorewall/nat the file I want to
> edit?  2nd, how do I do it.  I am sorry, I am learning.. I respect and
> appreciate your  knowledge, and I am working on learning.. =)
>
Bill -- What are you seeing in /etc/shorewall/nat that tells you not to 
edit it?

Here''s the current released /etc/shorewall/nat file:
----------------------------------------------
###########################################################################
###
#
# Shorewall 1.3  -- Network Address Translation Table
#
# /etc/shorewall/nat
#
#       This file is used to define static Network Address Translation 
(NAT).
#
# WARNING: If all you want to do is simple port forwarding, do NOT use this
#          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
#          cases, Proxy ARP is a better solution that static NAT.
#
# Columns must be separated by white space and are:
#
#       EXTERNAL        External IP Address - this should NOT be the primary
#                       IP address of the interface named in the next
#                       column and must not be a DNS Name.
#       INTERFACE       Interface that we want to EXTERNAL address to appear
#                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
#                       follow the interface name with ":" and a digit
to
#                       indicate that you want Shorewall to add the alias
#                       with this name (e.g., "eth0:0"). That allows
you to
#                       see the alias with ifconfig. THAT IS THE ONLY THING
#                       THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
#                       ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
#       INTERNAL        Internal Address (must not be a DNS Name).
#       ALL INTERFACES  If Yes or yes (or left empty), NAT will be effective
#                       from all hosts. If No or no then NAT will be 
effective
#                       only through the interface named in the INTERFACE
#                       column
#       LOCAL           If Yes or yes and the ALL INTERFACES column contains
#                       Yes or yes, NAT will be effective from the firewall
#                       system
###########################################################################
###
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES 
LOCAL
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
--------------------------------------------------
I don''t see anything there that suggests that you shouldn''t
edit the file.
It simply says that if all you want to do is port forward then this
isn''t
the file for you.

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

I have my box off the network, so I will have to type it::

#
#--------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically
# by the naat/backend. Modify the template file instead
# in /usr/share/naat/templates/etc/shorewall
#--------------------------------------------------------------
#
# Copyright Madrakesoft
#--------------------------------------------------------------
# Shorewall 1.2.5 /etc/shorewall/nat

Now, I know this is SNF, but it should use this file anyway, and I dont mind 
modifying it if it is possible..

-Bill

Quoting Tom Eastep <teastep@shorewall.net>:
> 
> 
> --On Tuesday, February 25, 2003 08:48:01 PM -0600 hevnsnt@i-hacked.com
> 
> wrote:
> 
> > I very thankful for your assistance... However I have now just had
> chance
> > to  take a look at this problem, as others have arisen and been
> taken
> > care of.
> >
> > A little background to refresh your memories:  I have a small group
> of
> > computers that are behind a Mandrake SNF firewall. (before you say it,
> I
> > understand this is not a SNF list) All the clients (25-30) use
> Nortel''s
> > Extranet client from the LAN side to the Wan side.  The problem I am
> > having, is  that only 1 machine at a time can establish a VPN
> connection.
> >
> > Solution:  I purchased a Sonicwall (got it SUPER CHEAP, email me if
> you
> > are  interested) and got to play around to find the solution.  We
> > experienced the  same problem with a 1:many nat setup with it, as soon
> as
> > I moved it to 1:1 all  machines could connect.
> >
> > Now my question:: (Please excuse the ignorance) How do I configure
> my
> > Shorewall  to run 1:1?  By interpreting Tom''s response below,
I need
> to
> > edit my NAT file.   I have opened up /etc/Shorewall/nat, and it tells
> me
> > not to edit it, therefore  I am very leary... Could someone hold my
> hand?
> > I need to mask
> > 192.168.0.2/65.x.x.2|40.  1st, is /etc/Shorewall/nat the file I want
> to
> > edit?  2nd, how do I do it.  I am sorry, I am learning.. I respect
> and
> > appreciate your  knowledge, and I am working on learning.. =)
> >
> 
> Bill -- What are you seeing in /etc/shorewall/nat that tells you not to
> 
> edit it?
> 
> Here''s the current released /etc/shorewall/nat file:
> ----------------------------------------------
> ###########################################################################
> ###
> #
> # Shorewall 1.3  -- Network Address Translation Table
> #
> # /etc/shorewall/nat
> #
> #       This file is used to define static Network Address Translation
> 
> (NAT).
> #
> # WARNING: If all you want to do is simple port forwarding, do NOT use
> this
> #          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in
> most
> #          cases, Proxy ARP is a better solution that static NAT.
> #
> # Columns must be separated by white space and are:
> #
> #       EXTERNAL        External IP Address - this should NOT be the
> primary
> #                       IP address of the interface named in the next
> #                       column and must not be a DNS Name.
> #       INTERFACE       Interface that we want to EXTERNAL address to
> appear
> #                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you
> may
> #                       follow the interface name with ":" and a
digit
> to
> #                       indicate that you want Shorewall to add the
> alias
> #                       with this name (e.g., "eth0:0"). That
allows you
> to
> #                       see the alias with ifconfig. THAT IS THE ONLY
> THING
> #                       THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE
> IT
> #                       ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
> #       INTERNAL        Internal Address (must not be a DNS Name).
> #       ALL INTERFACES  If Yes or yes (or left empty), NAT will be
> effective
> #                       from all hosts. If No or no then NAT will be 
> effective
> #                       only through the interface named in the
> INTERFACE
> #                       column
> #       LOCAL           If Yes or yes and the ALL INTERFACES column
> contains
> #                       Yes or yes, NAT will be effective from the
> firewall
> #                       system
> ###########################################################################
> ###
> #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES 
> LOCAL
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
> --------------------------------------------------
> I don''t see anything there that suggests that you
shouldn''t edit the
> file. 
> It simply says that if all you want to do is port forward then this
> isn''t 
> the file for you.
> 
> -Tom
> --
> Tom Eastep   \ Shorewall - iptables made easy
> Shoreline,    \ http://www.shorewall.net
> Washington USA \ teastep@shorewall.net
> 
>

--On Tuesday, February 25, 2003 09:01:29 PM -0600 hevnsnt@i-hacked.com 
wrote:
> I have my box off the network, so I will have to type it::
>
>#
># --------------------------------------------------------------
># DO NOT MODIFY THIS FILE! It is updated automatically
># by the naat/backend. Modify the template file instead
># in /usr/share/naat/templates/etc/shorewall
># --------------------------------------------------------------
>#
># Copyright Madrakesoft
># --------------------------------------------------------------
># Shorewall 1.2.5 /etc/shorewall/nat
>
> Now, I know this is SNF, but it should use this file anyway, and I dont
> mind  modifying it if it is possible..
>
I can''t advise you. I haven''t supported Shorewall 1.2 for many
months now
and I''ve NEVER supported Mandrake SNF (which has not been superseded by
Mandrake MNF which was Mandrake''s last great announcement before they
went
into bankruptcy).

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

--On Tuesday, February 25, 2003 07:09:23 PM -0800 Tom Eastep 
<teastep@shorewall.net> wrote:
>>
>
> I can''t advise you. I haven''t supported Shorewall 1.2 for
many months now
> and I''ve NEVER supported Mandrake SNF (which has not been
superseded by
> Mandrake MNF which was Mandrake''s last great announcement before
they
> went into bankruptcy).
>
My typing sucks....

That should have been "which has _now_ been superseded by..."

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

Bill,

We have a Nortel 1500 VPN box sitting in our lan zone. We are able to
connect to this nortel box from within our lan and also from any wan
connections without any problems and our users are able to connect and
tunnel out without any problems. 

They way we have our shorewall setup to work with this vpn is that we are
using proxyarp instead of nat for the ip''s that are assigned against
the
nortel box. Also in our policy file we allow our user in the lan zone full
access to everything:

Our Policy File

############################################################################
###
#SOURCE	DEST		POLICY		LOG LEVEL	LIMIT:BURST
loc2        loc         ACCEPT
loc		all		ACCEPT


and in our rules file we have this setup:

############################################################################
##
#RESULT		CLIENT(S) SERVER(S)	PROTO	PORT(S)	CLIENT PORT(S)
ADDRESS
#
ACCEPT      net             loc                esp
ACCEPT      net             loc                udp   500,5000

As a side note we also have some user connecting to an AT&T VPN without any
problems.

Quick suggestion\comments...Tom probably already recommend this....

I would blow away (erase) the Mandrake shorewall configuration and download
the latestshorewall rpm and install it.
Mandrake setups shorewall a little different and does not setup it up they
way Tom recommends shorewall to be setup and they also add some other
security stuff that might prevent you from getting your vpn connectivity
setup properly. 

Also Nortel documentation recommends that the Nortel box be setup along side
whatever firewall you are using. I tried this and could never get my
shorewall firewall and the Nortel box to play well and had similar problems
to what you are experiencing. Do you have the Nortel box on the same
switch\hub that you shorewall box is on? If so this may be your problem.

We moved our Nortel box to a internal switch and as soon as we did this it
worked.

Anyway''s hopefully some of this helps.

Mike


-----Original Message-----
From: hevnsnt@i-hacked.com [mailto:hevnsnt@i-hacked.com]
Sent: Tuesday, February 25, 2003 8:48 PM
To: Shorewall List
Subject: Re: [Shorewall-users] VPN Passthrough Assistance Needed


I very thankful for your assistance... However I have now just had chance to

take a look at this problem, as others have arisen and been taken care of.  

A little background to refresh your memories:  I have a small group of 
computers that are behind a Mandrake SNF firewall. (before you say it, I 
understand this is not a SNF list) All the clients (25-30) use Nortel''s
Extranet client from the LAN side to the Wan side.  The problem I am having,
is 
that only 1 machine at a time can establish a VPN connection.

Solution:  I purchased a Sonicwall (got it SUPER CHEAP, email me if you are 
interested) and got to play around to find the solution.  We experienced the

same problem with a 1:many nat setup with it, as soon as I moved it to 1:1
all 
machines could connect.

Now my question:: (Please excuse the ignorance) How do I configure my
Shorewall 
to run 1:1?  By interpreting Tom''s response below, I need to edit my
NAT
file.  
I have opened up /etc/Shorewall/nat, and it tells me not to edit it,
therefore 
I am very leary... Could someone hold my hand?  I need to mask 
192.168.0.2/65.x.x.2|40.  1st, is /etc/Shorewall/nat the file I want to
edit? 
2nd, how do I do it.  I am sorry, I am learning.. I respect and appreciate
your 
knowledge, and I am working on learning.. =)

Thanks
-Bill

Quoting Tom Eastep <teastep@shorewall.net>:
> hevnsnt@i-hacked.com wrote:
> > Ahh.. I understand.. however, I know it is not a matter of norfc1918
> (how about 
> > I assume it is not a matter of) because I can bring one client on a
> VPN 
> > connection works fine..  It seems as though it is a problem with ipsec
> not 
> > knowing about nat.. or something..
> > 
> 
> I suspect that it is rather a case of your Shorewall box not knowing 
> enough about ipsec to be able to track multiple connections to one IP 
> address effectively.
> 
> What I would do is to also establish 1-1 NAT on your Shorewall Router in
> 
> place of the current masq/snat. Even though there will still be
"double
> 
> NAT", it should work fine because then connection tracking of the
IPSEC
> 
> connections will work.
> 
> e.g.,
> 
> 192.168.1.11->192.168.0.11
> 192.168.1.12->192.168.0.12
> ...
> 
> If you set up your NAT file and set ADD_IP_ALIASES=Yes in 
> shorewall.conf, Shorewall will add all of the IP addresses for you.
> 
> You could also set up proxy arp but that would be a little trickier...
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users
> 
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm