Hi,
I am experimenting with the ipsec support built into the linux 2.6 kernel
(using a backport of the 2.6 ipsec stack to 2.4.22). The vpn side of things
is working fine but I''m having some problems with shorewall since this
ipsec
implementation doesn''t use a dedicated device for decrypted traffic
(i.e.
ipsec0 or tun0).
Here''s a tcpdump showing traffic on my external interface (ppp0):
tcpdump: listening on ppp0
20:21:59.439357 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4b)
20:21:59.439357 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
20:22:00.438199 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4c)
20:22:00.438199 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
20:22:01.437490 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4d)
20:22:01.437490 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
The decrypted traffic is being denied since it''s recognized as part of
my net
zone, instead of as part of my vpn zone:
Dec 11 20:27:03 torridon kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth0
SRC=10.42.42.2 DST=10.142.254.1 LEN=84 TOS=0x00 PREC=0x00 TTL=62
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5389 SEQ=2304
Here''s how I''ve tried to set it up ...
/etc/shorewall/zones:
net Net Internet
loc Local Local networks
vpn VPN Office LAN
/etc/shorewall/interfaces:
- ppp0
loc eth0 detect
/etc/shorewall/hosts:
# This just doesn''t feel right
vpn ppp0:10.42.42.0/24
net ppp0:0.0.0.0/0
/etc/shorewall/tunnels:
generic:esp net remote_gw # remote_gw is really IP address
Does anyone have any ideas? I''ve looked at all of the tunnelling
exampes that
I can find in the docs but none of them seem to quite fit this situation.
I''ve manually "fixed" shorewall for now by adding the
following rule to
/etc/shorewall/start:
run_iptables -I net2all 3 -i ppp0 -o eth0 -s 10.42.42.0/24 \
-d 10.142.254.0/24 -j ACCEPT
If anyone thinks they can help me out with this I''d be happy to include
more
information on my config. My apologies if I''ve missed an FAQ or
something
obvious in the docs.
Thanks!
--
Fraser Campbell <fraser@wehave.net> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
On Thu, 11 Dec 2003, Fraser Campbell wrote:> I am experimenting with the ipsec support built into the linux 2.6 kernel > (using a backport of the 2.6 ipsec stack to 2.4.22). The vpn side of things > is working fine but I''m having some problems with shorewall since this ipsec > implementation doesn''t use a dedicated device for decrypted traffic (i.e. > ipsec0 or tun0). >A couple of thoughts: a) Those who choose to lead the way should lead -- you are running a 2.6 kernel so you should be telling the rest of us about problem *solutions*. b) We''ve visited this problem already in the last couple of weeks -- please check the archives. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On December 11, 2003 10:12 pm, Tom Eastep wrote:> a) Those who choose to lead the way should lead -- you are running a 2.6 > kernel so you should be telling the rest of us about problem *solutions*. > > b) We''ve visited this problem already in the last couple of weeks -- > please check the archives.Thanks, htdig wasn''t finding 2.6 in my archive searches for some reason, manually scanning the archives found the relevant thread for me. I''ve changed the zone ordering for now and that has solved the issue. I''ll see if I can come up with a more elegant solution. -- Fraser Campbell <fraser@wehave.net> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
On Thu, 2003-12-11 at 22:51, Fraser Campbell wrote:> On December 11, 2003 10:12 pm, Tom Eastep wrote: > > > a) Those who choose to lead the way should lead -- you are running a 2.6 > > kernel so you should be telling the rest of us about problem *solutions*. > > > > b) We''ve visited this problem already in the last couple of weeks -- > > please check the archives. > > Thanks, htdig wasn''t finding 2.6 in my archive searches for some reason, > manually scanning the archives found the relevant thread for me. I''ve changed > the zone ordering for now and that has solved the issue. I''ll see if I can > come up with a more elegant solution.Here''s what I did on one side to enable 2.6 IPSEC to operate correctly (eth0 is external, eth1 is internal intf): interfaces: - eth0 detect dhcp,blacklist loc eth1 detect dhcp hosts: vpn eth0:172.16.100.0/24 net eth0:0.0.0.0/0 masq: eth0:!172.16.100.0/24 192.168.1.0/24 policy: vpn loc ACCEPT loc vpn ACCEPT tunnels: ipsec net <rem gw ip> vpn When I was experimenting with it, the biggest trick seemed to be the hosts entries and the negated masq line so that packets weren''t natted across the vpn.
On Friday 12 December 2003 04:25 am, David T Hollis wrote:> > Here''s what I did on one side to enable 2.6 IPSEC to operate correctly > (eth0 is external, eth1 is internal intf): >Once we have completed the HTML->Docbook conversion of the documentation, I will update the IPSEC docs to include this information. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net