Hello, I''ve finally managed to setup a firewall with freeswan 2.04 using the kernel crypto api (backported from kernel 2.6). (Almost) everything seems to work fine if I disable shorewall, but packets are filtered whe shorewall is active. I''ve already read a past thread on the subject and I followed all the hints and it actually partially works: my lan I can access the remote lan and viceversa, but I''m unable to connect the remote lan _from_ the firewall itself. So there I go, here are my settings on my ipsec firewall: public ip: a.b.c.d/20 internal lan: 10.123.123.0/24 internal ip: 10.123.123.100 remote ip: x.y.z.k remote lan: 10.0.0.0/19 zones: vpn VPN Freeswan VPN net Net Internet loc Local Local networks interfaces: loc eth0 detect - eth1 detect hosts: vpn eth1:10.0.0.0/19 net eth1:0.0.0.0/0 tunnels: ipsec net x.y.z.k vpn policy: fw all ACCEPT vpn all ACCEPT loc all ACCEPT net all DROP info all all REJECT info masq: eth1:!10.0.0.0/19 10.123.123.0/24 So, what happens is, without the firewall, everything works fine. But with shorewall on: - ping works from everywhere to everywhere correctly - my local lan can connect to remote lan correctly - the firewall can ping remote lan but is unable to ssh on machine on that lan I really need the help of some expert here :) May I provide some other useful information? Thanks for the help, Alex P.S.: I''m not subscribed to the list, please CC me if you reply, thanks
you do know that if you connect two lans via two vpn gateways that the vpn gateways themself cant connect to the other lans ? you either need a second point to point tunnel for that or use some iproute2 routing tweaks. you can find more information in the freeswan documentation. Holger On Thu, 2004-01-15 at 15:39, Alessandro Polverini wrote:> Hello, > I''ve finally managed to setup a firewall with freeswan 2.04 using the > kernel crypto api (backported from kernel 2.6). > > (Almost) everything seems to work fine if I disable shorewall, but > packets are filtered whe shorewall is active. > > I''ve already read a past thread on the subject and I followed all the > hints and it actually partially works: my lan I can access the remote > lan and viceversa, but I''m unable to connect the remote lan _from_ the > firewall itself. > > So there I go, here are my settings on my ipsec firewall: > > public ip: a.b.c.d/20 > internal lan: 10.123.123.0/24 > internal ip: 10.123.123.100 > > remote ip: x.y.z.k > remote lan: 10.0.0.0/19 > > zones: > vpn VPN Freeswan VPN > net Net Internet > loc Local Local networks > > interfaces: > loc eth0 detect > - eth1 detect > > hosts: > vpn eth1:10.0.0.0/19 > net eth1:0.0.0.0/0 > > tunnels: > ipsec net x.y.z.k vpn > > policy: > fw all ACCEPT > vpn all ACCEPT > loc all ACCEPT > net all DROP info > all all REJECT info > > masq: > eth1:!10.0.0.0/19 10.123.123.0/24 > > So, what happens is, without the firewall, everything works fine. > But with shorewall on: > - ping works from everywhere to everywhere correctly > - my local lan can connect to remote lan correctly > - the firewall can ping remote lan but is unable to ssh on machine on > that lan > > I really need the help of some expert here :) > > May I provide some other useful information? > > Thanks for the help, > Alex > P.S.: I''m not subscribed to the list, please CC me if you reply, thanks > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote:> > I really need the help of some expert here :) > > May I provide some other useful information?How about showing us the log messages showing that Shorewall is blocking packets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thu, 2004-01-15 at 16:17, Tom Eastep wrote:> On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote: > > > > > I really need the help of some expert here :) > > > > May I provide some other useful information? > > How about showing us the log messages showing that Shorewall is blocking > packets.In the logs there are no entries showing packets blocked. It seems that packed are, uh, lost? The test I do is to ssh into a box on the remote lan. I attach "shorewall status", hoping this helps. I''m no expert here, anyway I see the lines: tcp 6 62 SYN_SENT src=10.123.123.100 dst=10.0.5.111 sport=1028 dport=22 [UNREPLIED] src=10.0.5.111 dst=10.123.123.100 sport=22 dport=1028 use=1 unknown 50 379 src=x.y.z.k dst=a.b.c.d [UNREPLIED] src=a.b.c.d dst=x.y.z.k use=1 and the second one seems the problem to me: maybe shorewall is not passing the ipsec packet to the correct layer because it''s unknown for him? x.y.z.k is the remote ipsec gw public ip, while a.b.c.d is my public ip (sorry to hide real numbers, please reply privately if you need them). Any help will be appreciated :) Alex
On Thursday 15 January 2004 08:10 am, Alessandro Polverini wrote:> On Thu, 2004-01-15 at 16:17, Tom Eastep wrote: > > On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote: > > > I really need the help of some expert here :) > > > > > > May I provide some other useful information? > > > > How about showing us the log messages showing that Shorewall is blocking > > packets. > > In the logs there are no entries showing packets blocked. It seems that > packed are, uh, lost? > The test I do is to ssh into a box on the remote lan. > > I attach "shorewall status", hoping this helps. > I''m no expert here, anyway I see the lines: > > tcp 6 62 SYN_SENT src=10.123.123.100 dst=10.0.5.111 sport=1028 > dport=22 [UNREPLIED] src=10.0.5.111 dst=10.123.123.100 sport=22 > dport=1028 use=1 > > unknown 50 379 src=x.y.z.k dst=a.b.c.d [UNREPLIED] src=a.b.c.d > dst=x.y.z.k use=1 > > and the second one seems the problem to me: maybe shorewall is not > passing the ipsec packet to the correct layer because it''s unknown for > him?Both are problems. The first means that the SYN packet was sent and there has been no SYN,ACK received in return. The second is a similar problem with protocol 50. You might set NEWNOTSYN=Yes in shorewall.conf to see if that makes any difference. If it does, I would suspect that it means that traffic is going through the tunnel in one direction but not in the other direction.> > x.y.z.k is the remote ipsec gw public ip, while a.b.c.d is my public ip > (sorry to hide real numbers, please reply privately if you need them). > > Any help will be appreciated :)As Don Cowart just posted, when you are on the bleeding edge it does little good to ask for help. Only people who are out there bleeding with you have any chance of giving you aid. I don''t know how crypto API works -- I don''t have any experience with it. I further don''t have time to experiment with it and won''t have such time in the forseeable future. So for those of you who are trying to use it, I''m afraid that you are on your own. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Apparently Analagous Threads
- [Fwd: Building custom _updown script for freeswan to make it talk with shorewall]
- Problem with FreeSwan and Shorewall on a LEAF(Oxygen) based router.
- Shorewall, Freeswan and SuSE 9.1
- Problem with sending mail from mail server behind firewall.
- Question on Shorewall with FreeSwan