Hi everyone, here is my IPSEC problem: I need to connect 10 outside offices with the datacenter. Each office is connected through 2Mbit or ADSL (ADSL router) lines with the datacenter using IPSEC (freeswan) tunneling. In case the internet line fails each office can use an ISDN (ipppd) to connect. So each outside router/firewall has three interfaces eth0 (LAN), eth1 (WAN) and ippp0 (ISDN). The core router in the datacenter has 5 Ethernet interfaces and 8 B1 ISDN channels (ippp0 to ippp7). For the current problem only eth0 (LAN), eth1 (WAN) (This is not the default gateway. The script mentioned below will take care of the proper routing entries for the outside subnet''s), ippp0 and ippp1 are relevant. On the office router/firewall a shell script is running checking the link status of the WAN interface + sending ICMP request to the WAN interface of the datacenter router/fw. In case the link goes down or a specific amount of ICMP packets is lost the script will shutdown the IPSEC tunnel and dialup using ISDN. A second script running on the datacenter router/fw will check the dialup status of each assigned IPPP interface. In case it detects a dialup it will change the routing for the office LAN from the IPSEC device to the assigned IPPP device. First tests (without using the script on the office routers) worked fine. We got the tunnels up and running to both test office sites. We could manually force the office test routers to switch to ISDN and the script on the datacenter router/fw to detect the dialup and change the routes as needed. The problem started when we activated the scripts on the office routers/firewalls. It worked fine as long as iptables --LIST showed no rules and forwarding was activated (shorewall clear). As soon as the datacenter shorewall/netfilter was having rules no ICMP response was send back to the office routers sending ICMP requests. As a result the office site scripts assumed a broken line and dialed up. To simplify the test environment I first of all reduced the VPN hub setup into a lan-to-lan VPN setup. As soon as I did this things worked. ICMP packets were returned correctly. So I switched back to a hub setup with following configuration on the datacenter router Tunnels ipsec net 217.16.1.2 ipsec net 217.3.4.10 zones loc LOCAL net INET dial IPPP0 dial1 IPPP1 vpn1 VPN1 vpn2 VPN2 interfaces loc eth0 net eth1 dial ippp0 dial1 ippp1 - ipsec0 hosts vpn1 ipsec0:192.168.50.0/24 vpn2 ipsec0:192.168.52.0/24 policy loc vpn1 ACCEPT INFO vpn1 loc ACCEPT INFO loc vpn2 ACCEPT INFO vpn2 loc ACCEPT INFO loc dial ACCEPT INFO dial loc ACCEPT INFO fw net ACCEPT INFO net fw ACCEPT INFO fw loc ACCEPT INFO loc fw ACCEPT INFO all all DROP INFO As you can see the above rules are rather like all all ACCEPT. I am still getting drops on OUTPUT''S chains LOG rule with IN= OUT=ipsec0 Src=81.89.239.10 dest=217.16.1.2. (src= eth0 of datacenter router, dest=eth0 of the office site). I got the same result doing ping 217.16.1.2 from the datacenter router. Doing a ping -I eth1 217.16.1.2 worked. The only solution I found was doing a ip route add 217.16.1.2/32 via 81.89.239.9 dev eth1 After applying this route the pings went through just fine. I already wrote a small script adding the needed routes for the 10 offices but I am wondering if I am missing an option in Shorewall which will allow me using the scripts without adding those routes. Axel
On Mon, 2003-08-11 at 12:30, Axel@congos.net wrote:> > As you can see the above rules are rather like all all ACCEPT. I am > still getting drops on OUTPUT''S chains LOG rule with IN= OUT=ipsec0 > Src=81.89.239.10 dest=217.16.1.2. (src= eth0 of datacenter router, > dest=eth0 of the office site). >FAQ 17 is very clear about what this means (HINT: ipsec0:217.16.1.2 isn''t in any ZONE!!!!). I suspect that you can fix it by specifying the proper zone list (e.g., "vpn1, vpn2") in the GATEWAY ZONES column of the /etc/shorewall/tunnels file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, Yep. The 217.16.1.2 is only in the fw zone. For me it seems that with the ipsec0 device up the eth1 device isn''t used anymore by iproute2. (eth1 is bound to ipsec0). The roadworrier how-to states the GATEWAY zones are used when the remote vpn is just one host. In this case there is a LAN connected to the peer. This won''t be a problem ? Axel -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Montag, 11. August 2003 22:05 To: Axel Westerhold Cc: shorewall-users@lists.shorewall.net Subject: Re: [Shorewall-users] Shorewall/ipsec problem On Mon, 2003-08-11 at 12:30, Axel@congos.net wrote:> > As you can see the above rules are rather like all all ACCEPT. I am > still getting drops on OUTPUT''S chains LOG rule with IN= OUT=ipsec0 > Src=81.89.239.10 dest=217.16.1.2. (src= eth0 of datacenter router, > dest=eth0 of the office site). >FAQ 17 is very clear about what this means (HINT: ipsec0:217.16.1.2 isn''t in any ZONE!!!!). I suspect that you can fix it by specifying the proper zone list (e.g., "vpn1, vpn2") in the GATEWAY ZONES column of the /etc/shorewall/tunnels file. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Mon, 2003-08-11 at 13:16, Axel@congos.net wrote:> Hi Tom, > > Yep. The 217.16.1.2 is only in the fw zone. For me it seems that with > the ipsec0 device up the eth1 device isn''t used anymore by iproute2. > (eth1 is bound to ipsec0). > > The roadworrier how-to states the GATEWAY zones are used when the remote > vpn is just one host. In this case there is a LAN connected to the peer. > This won''t be a problem ? >It''s what the column is there for... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi Tom, I changed my config according your advice this afternoon and it did not help. As a guess I keep with setting the needed host routes using the shorewall start file. Thanks, Axel -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Montag, 11. August 2003 22:18 To: Axel Westerhold Cc: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Shorewall/ipsec problem On Mon, 2003-08-11 at 13:16, Axel@congos.net wrote:> Hi Tom, > > Yep. The 217.16.1.2 is only in the fw zone. For me it seems that with > the ipsec0 device up the eth1 device isn''t used anymore by iproute2. > (eth1 is bound to ipsec0). > > The roadworrier how-to states the GATEWAY zones are used when theremote> vpn is just one host. In this case there is a LAN connected to thepeer.> This won''t be a problem ? >It''s what the column is there for... -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Tue, 2003-08-12 at 10:42, Axel@congos.net wrote:> Hi Tom, > > I changed my config according your advice this afternoon and it did not > help. As a guess I keep with setting the needed host routes using the > shorewall start file.Ok -- thanks for the update. Now that I think about it some more, the GATEWAY ZONE(S) trick only works for a road warrior since in that case the VPN zone and the gateway address are the same. In the case where there is a network on the other end of the tunnel, you would also have to add the gateway address to the zone (in /etc/shorewall/hosts) on order for the GATEWAY ZONE entry to have any effect. That would have negative security implications which are best avoided by adding an explicit route for the gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I added the IP''s to the hosts file like Vpn1 ipsec0:192.168.50.0/24,217.16.1.2 Vpn2 ipsec0:192.168.52.0/24,217.3.3.10 I also tried to define another zone like Vpn1 ipsec0:192.168.50.0/24 Vpn2 ipsec0:192.168.52.0/24 Wan ipsec0:81.89.239.10 Actually I did this before writing my initial email. I forgot to mention it, sorry. You might be right though, while the chance for misconfiguration or route removal is higher this way (adding routes) it might still be the most secure way. Axel -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Dienstag, 12. August 2003 20:04 To: Axel Westerhold Cc: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Shorewall/ipsec problem On Tue, 2003-08-12 at 10:42, Axel@congos.net wrote:> Hi Tom, > > I changed my config according your advice this afternoon and it didnot> help. As a guess I keep with setting the needed host routes using the > shorewall start file.Ok -- thanks for the update. Now that I think about it some more, the GATEWAY ZONE(S) trick only works for a road warrior since in that case the VPN zone and the gateway address are the same. In the case where there is a network on the other end of the tunnel, you would also have to add the gateway address to the zone (in /etc/shorewall/hosts) on order for the GATEWAY ZONE entry to have any effect. That would have negative security implications which are best avoided by adding an explicit route for the gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I forgot to say that the config in general was easier to do then I expected. This is mainly thanks to your effort to create Shorewall. I do not want to think about doing the rules manually given the ''complex'' system with 12+ interfaces etc. Axel -----Original Message----- From: Axel Westerhold Sent: Dienstag, 12. August 2003 20:44 To: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Shorewall/ipsec problem I added the IP''s to the hosts file like Vpn1 ipsec0:192.168.50.0/24,217.16.1.2 Vpn2 ipsec0:192.168.52.0/24,217.3.3.10 I also tried to define another zone like Vpn1 ipsec0:192.168.50.0/24 Vpn2 ipsec0:192.168.52.0/24 Wan ipsec0:81.89.239.10 Actually I did this before writing my initial email. I forgot to mention it, sorry. You might be right though, while the chance for misconfiguration or route removal is higher this way (adding routes) it might still be the most secure way. Axel -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Dienstag, 12. August 2003 20:04 To: Axel Westerhold Cc: shorewall-users@lists.shorewall.net Subject: RE: [Shorewall-users] Shorewall/ipsec problem On Tue, 2003-08-12 at 10:42, Axel@congos.net wrote:> Hi Tom, > > I changed my config according your advice this afternoon and it didnot> help. As a guess I keep with setting the needed host routes using the > shorewall start file.Ok -- thanks for the update. Now that I think about it some more, the GATEWAY ZONE(S) trick only works for a road warrior since in that case the VPN zone and the gateway address are the same. In the case where there is a network on the other end of the tunnel, you would also have to add the gateway address to the zone (in /etc/shorewall/hosts) on order for the GATEWAY ZONE entry to have any effect. That would have negative security implications which are best avoided by adding an explicit route for the gateway. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net