Shorewall users - Jun 2003 - Two VPN connections (IPSEC)

Hi,

I currently have a good setup running shorewall to protect my network at
home, and it works fine if I just want to have a tunnel to one site
(lets call it Challenge) but if I add a tunnel to another site (lets
call it Stony), the tunnel comes up ok (I can see from ipsec look that
the tunnels are there) but I cannot pass any traffic over them, even
though I can send traffic over the original tunnel. Any ideas?

RGDS

Phil
-- 
Phil Foxton <phil.foxton@intelligent-ms.com>
Intelligent Maintenance Systems Ltd

Hi,

Tom just helped me on this issue a couple of days ago.

This is what I do when I have 2 tunnels (subnet-subnet) to one site. You 
have 2 tunnels to 2 sites but should be similar

/etc/shorewall/tunnels
ipsec   net    64.128.24.x   vpn,vpn2
# You may need 2 lines here (each for diffrent remote IP)



in /etc/shorewal/interfaces
-       ipsec0


in /etc/shorewall/hosts

vpn     ipsec0:192.168.15.0/24
vpn2    ipsec0:192.168.22.0/24

and the corresponding rules and policy for vpn, vpn2 and your network.


I hope that helps.

M Lu.


>From: Phil Foxton <phil.foxton@intelligent-ms.com>
>To: shorewall-users@lists.shorewall.net
>Subject: [Shorewall-users] Two VPN connections (IPSEC)
>Date: 03 Jun 2003 16:57:11 +0100
>
>Hi,
>
>I currently have a good setup running shorewall to protect my network at
>home, and it works fine if I just want to have a tunnel to one site
>(lets call it Challenge) but if I add a tunnel to another site (lets
>call it Stony), the tunnel comes up ok (I can see from ipsec look that
>the tunnels are there) but I cannot pass any traffic over them, even
>though I can send traffic over the original tunnel. Any ideas?
>
>RGDS
>
>Phil
>--
>Phil Foxton <phil.foxton@intelligent-ms.com>
>Intelligent Maintenance Systems Ltd
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>http://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
The new MSN 8: smart spam protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

Darn

Nope that didn''t work......

Any ideas?

Rgds

Phil

On Wed, 2003-06-04 at 08:10, M Lu wrote:
> Hi,
> 
> Tom just helped me on this issue a couple of days ago.
> 
> This is what I do when I have 2 tunnels (subnet-subnet) to one site. You 
> have 2 tunnels to 2 sites but should be similar
> 
> /etc/shorewall/tunnels
> ipsec   net    64.128.24.x   vpn,vpn2
> # You may need 2 lines here (each for diffrent remote IP)
> 
> 
> 
> in /etc/shorewal/interfaces
> -       ipsec0
> 
> 
> in /etc/shorewall/hosts
> 
> vpn     ipsec0:192.168.15.0/24
> vpn2    ipsec0:192.168.22.0/24
> 
> and the corresponding rules and policy for vpn, vpn2 and your network.
> 
> 
> I hope that helps.
> 
> M Lu.
> 
> 
> 
> >From: Phil Foxton <phil.foxton@intelligent-ms.com>
> >To: shorewall-users@lists.shorewall.net
> >Subject: [Shorewall-users] Two VPN connections (IPSEC)
> >Date: 03 Jun 2003 16:57:11 +0100
> >
> >Hi,
> >
> >I currently have a good setup running shorewall to protect my network
at
> >home, and it works fine if I just want to have a tunnel to one site
> >(lets call it Challenge) but if I add a tunnel to another site (lets
> >call it Stony), the tunnel comes up ok (I can see from ipsec look that
> >the tunnels are there) but I cannot pass any traffic over them, even
> >though I can send traffic over the original tunnel. Any ideas?
> >
> >RGDS
> >
> >Phil
> >--
> >Phil Foxton <phil.foxton@intelligent-ms.com>
> >Intelligent Maintenance Systems Ltd
> >
> >_______________________________________________
> >Shorewall-users mailing list
> >Post: Shorewall-users@lists.shorewall.net
> >Subscribe/Unsubscribe: 
> >http://lists.shorewall.net/mailman/listinfo/shorewall-users
> >Support: http://www.shorewall.net/support.htm
> >FAQ: http://www.shorewall.net/FAQ.htm
> 
> _________________________________________________________________
> The new MSN 8: smart spam protection and 2 months FREE*  
> http://join.msn.com/?page=features/junkmail
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
http://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
-- 
Phil Foxton <phil.foxton@intelligent-ms.com>
Intelligent Maintenance Systems Ltd

On 04 Jun 2003 20:16:45 +0100, Phil Foxton
<phil.foxton@intelligent-ms.com>
wrote:
> Darn
>
> Nope that didn''t work......
>
> Any ideas?
>
Yes -- how about sending us *SOMETHING* about your configuration.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

D''oh silly me - bad day at Black Rock!

Any how here are the (hopefully) relevent config bits:

ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:08:C7:7F:93:D1
          inet addr:192.168.31.2  Bcast:192.168.31.255 
Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 00:50:04:46:C8:D0
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0

ipsec0    Link encap:Ethernet  HWaddr 00:50:04:46:C8:D0
          inet addr:192.168.1.3  Mask:255.255.255.0

route -n:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
192.168.1.1     0.0.0.0         255.255.255.255 UH    0      0        0
eth1
192.100.20.0    192.168.1.1     255.255.255.0   UG    0      0        0
ipsec0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
ipsec0
192.168.31.0    0.0.0.0         255.255.255.0   U     0      0        0
eth0
192.168.200.0   192.168.1.1     255.255.255.0   UG    0      0        0
ipsec0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0
lo
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
eth1

/etc/shorewall/tunnels:

# TYPE          ZONE    GATEWAY         GATEWAY ZONE
ipsec           net     194.74.0.138    vpn
ipsec           net     217.40.190.201  vpn2

/etc/shorewall/interfaces:

#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth1            detect          routefilter
loc     eth0            detect          routestopped
-       ipsec0

/etc/shorewall/hosts:

#ZONE           HOST(S)                         OPTIONS
vpn             ipsec0:192.168.200.0/24
vpn2            ipsec0:192.100.20.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

(I know the far end of vpn2 is not using RFC1918 but will be soon!)

/etc/shorewall/rules:

ACCEPT          fw        net           tcp     53
ACCEPT          fw        net           udp     53
ACCEPT          loc       fw            tcp     53
ACCEPT          loc       fw            udp     53
ACCEPT          fw        loc           tcp     21
ACCEPT          loc       fw            tcp     21
ACCEPT          fw        loc           udp     21
ACCEPT          loc       fw            udp     21
ACCEPT          loc       fw            tcp     22
ACCEPT          fw        loc           tcp     22
ACCEPT          net       fw            tcp     22
ACCEPT          loc       fw            tcp     110
ACCEPT          fw        loc           tcp     110
ACCEPT          net       fw            tcp     110
ACCEPT          net       fw            tcp     80
ACCEPT          fw        net           tcp     http
REDIRECT        loc       3128          tcp     www   -
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/policy:

fw              net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT
loc             vpn2            ACCEPT
vpn2            loc             ACCEPT
net             all             DROP            info
all             all             REJECT          info

# shorewall version
1.4.2

Hopefully that should give an idea, it would be good if I can get this
working soon as at the moment to collect my email and administer the
second subnet I need to pptp in from a windows box (YUK!).

Oh one more thing that may be of note, this firewall sits behind a
router which does the nat''ing (a Zyxel 642-R), hence eth0 being
192.168.31.2 and eth1 being 192.168.1.3.

Regards

Phil

On Wed, 2003-06-04 at 20:19, Tom Eastep wrote:
> On 04 Jun 2003 20:16:45 +0100, Phil Foxton
<phil.foxton@intelligent-ms.com>
> wrote:
> 
> > Darn
> >
> > Nope that didn''t work......
> >
> > Any ideas?
> >
> 
> Yes -- how about sending us *SOMETHING* about your configuration.
> 
> -Tom
-- 
Phil Foxton <phil.foxton@intelligent-ms.com>
Intelligent Maintenance Systems Ltd

On 04 Jun 2003 21:11:59 +0100, Phil Foxton
<phil.foxton@intelligent-ms.com>
wrote:

>
> Oh one more thing that may be of note, this firewall sits behind a
> router which does the nat''ing (a Zyxel 642-R), hence eth0 being
> 192.168.31.2 and eth1 being 192.168.1.3.
>
I didn''t see anything wrong with your setup -- are you sure that the
642-R
can handle multiple IPSEC tunnels to/from the same internal system?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On 04 Jun 2003 22:16:17 +0100, Phil Foxton
<phil.foxton@intelligent-ms.com>
wrote:
>
> As far as I am aware it can - the tunnels actually come up ok,
it''s just
> I cannot ping or otherwise across the second one.
>
And if you bring up just the second tunnel, can you use it? If not, then if 
you "shorewall clear", can you use the tunnel? If so, what Shorewall 
messages are you seeing when you try to use the second tunnel?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net