Shorewall users - Jan 2004 - shorewall, freeswan and kernel crypto-api

Hello,
I''ve finally managed to setup a firewall with freeswan 2.04 using the
kernel crypto api (backported from kernel 2.6).
 
(Almost) everything seems to work fine if I disable shorewall, but
packets are filtered whe shorewall is active.

I''ve already read a past thread on the subject and I followed all the
hints and it actually partially works: my lan I can access the remote
lan and viceversa, but I''m unable to connect the remote lan _from_ the
firewall itself.

So there I go, here are my settings on my ipsec firewall:
 
public ip: a.b.c.d/20
internal lan: 10.123.123.0/24
internal ip: 10.123.123.100

remote ip: x.y.z.k
remote lan: 10.0.0.0/19

zones:
vpn     VPN             Freeswan VPN
net     Net             Internet
loc     Local           Local networks

interfaces:
loc     eth0    detect
-       eth1    detect

hosts:
vpn     eth1:10.0.0.0/19
net     eth1:0.0.0.0/0

tunnels:
ipsec           net     x.y.z.k            vpn

policy:
fw              all             ACCEPT
vpn             all             ACCEPT
loc             all             ACCEPT
net             all             DROP            info
all             all             REJECT          info

masq:
eth1:!10.0.0.0/19       10.123.123.0/24

So, what happens is, without the firewall, everything works fine.
But with shorewall on:
- ping works from everywhere to everywhere correctly
- my local lan can connect to remote lan correctly
- the firewall can ping remote lan but is unable to ssh on machine on
that lan

I really need the help of some expert here :)

May I provide some other useful information?

Thanks for the help,
Alex
P.S.: I''m not subscribed to the list, please CC me if you reply, thanks

you do know that if you connect two lans via two vpn gateways that the
vpn gateways themself cant connect to the other lans ? you either need a
second point to point tunnel for that or use some iproute2 routing
tweaks. you can find more information in the freeswan documentation.

Holger

On Thu, 2004-01-15 at 15:39, Alessandro Polverini wrote:
> Hello,
> I''ve finally managed to setup a firewall with freeswan 2.04 using
the
> kernel crypto api (backported from kernel 2.6).
>  
> (Almost) everything seems to work fine if I disable shorewall, but
> packets are filtered whe shorewall is active.
> 
> I''ve already read a past thread on the subject and I followed all
the
> hints and it actually partially works: my lan I can access the remote
> lan and viceversa, but I''m unable to connect the remote lan _from_
the
> firewall itself.
> 
> So there I go, here are my settings on my ipsec firewall:
>  
> public ip: a.b.c.d/20
> internal lan: 10.123.123.0/24
> internal ip: 10.123.123.100
> 
> remote ip: x.y.z.k
> remote lan: 10.0.0.0/19
> 
> zones:
> vpn     VPN             Freeswan VPN
> net     Net             Internet
> loc     Local           Local networks
> 
> interfaces:
> loc     eth0    detect
> -       eth1    detect
> 
> hosts:
> vpn     eth1:10.0.0.0/19
> net     eth1:0.0.0.0/0
> 
> tunnels:
> ipsec           net     x.y.z.k            vpn
> 
> policy:
> fw              all             ACCEPT
> vpn             all             ACCEPT
> loc             all             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
> 
> masq:
> eth1:!10.0.0.0/19       10.123.123.0/24
> 
> So, what happens is, without the firewall, everything works fine.
> But with shorewall on:
> - ping works from everywhere to everywhere correctly
> - my local lan can connect to remote lan correctly
> - the firewall can ping remote lan but is unable to ssh on machine on
> that lan
> 
> I really need the help of some expert here :)
> 
> May I provide some other useful information?
> 
> Thanks for the help,
> Alex
> P.S.: I''m not subscribed to the list, please CC me if you reply,
thanks
> 
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm

On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote:
>
> I really need the help of some expert here :)
>
> May I provide some other useful information?
How about showing us the log messages showing that Shorewall is blocking 
packets.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On Thu, 2004-01-15 at 16:17, Tom Eastep wrote:
> On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote:
> 
> >
> > I really need the help of some expert here :)
> >
> > May I provide some other useful information?
> 
> How about showing us the log messages showing that Shorewall is blocking 
> packets.
In the logs there are no entries showing packets blocked. It seems that
packed are, uh, lost?
The test I do is to ssh into a box on the remote lan.

I attach "shorewall status", hoping this helps.
I''m no expert here, anyway I see the lines:

tcp      6 62 SYN_SENT src=10.123.123.100 dst=10.0.5.111 sport=1028
dport=22 [UNREPLIED] src=10.0.5.111 dst=10.123.123.100 sport=22
dport=1028 use=1

unknown  50 379 src=x.y.z.k dst=a.b.c.d [UNREPLIED] src=a.b.c.d
dst=x.y.z.k use=1

and the second one seems the problem to me: maybe shorewall is not
passing the ipsec packet to the correct layer because it''s unknown for
him?

x.y.z.k is the remote ipsec gw public ip, while a.b.c.d is my public ip
(sorry to hide real numbers, please reply privately if you need them).

Any help will be appreciated :)

Alex

On Thursday 15 January 2004 08:10 am, Alessandro Polverini
wrote:
> On Thu, 2004-01-15 at 16:17, Tom Eastep wrote:
> > On Thursday 15 January 2004 06:39 am, Alessandro Polverini wrote:
> > > I really need the help of some expert here :)
> > >
> > > May I provide some other useful information?
> >
> > How about showing us the log messages showing that Shorewall is
blocking
> > packets.
>
> In the logs there are no entries showing packets blocked. It seems that
> packed are, uh, lost?
> The test I do is to ssh into a box on the remote lan.
>
> I attach "shorewall status", hoping this helps.
> I''m no expert here, anyway I see the lines:
>
> tcp      6 62 SYN_SENT src=10.123.123.100 dst=10.0.5.111 sport=1028
> dport=22 [UNREPLIED] src=10.0.5.111 dst=10.123.123.100 sport=22
> dport=1028 use=1
>
> unknown  50 379 src=x.y.z.k dst=a.b.c.d [UNREPLIED] src=a.b.c.d
> dst=x.y.z.k use=1
>
> and the second one seems the problem to me: maybe shorewall is not
> passing the ipsec packet to the correct layer because it''s unknown
for
> him?
Both are problems. The first means that the SYN packet was sent and there has 
been no SYN,ACK received in return. The second is a similar problem with 
protocol 50.

You might set NEWNOTSYN=Yes in shorewall.conf to see if that makes any 
difference. If it does, I would suspect that it means that traffic is going 
through the tunnel in one direction but not in the other direction.
>
> x.y.z.k is the remote ipsec gw public ip, while a.b.c.d is my public ip
> (sorry to hide real numbers, please reply privately if you need them).
>
> Any help will be appreciated :)
As Don Cowart just posted, when you are on the bleeding edge it does little 
good to ask for help. Only people who are out there bleeding with you have 
any chance of giving you aid.

I don''t know how crypto API works -- I don''t have any
experience with it. I
further don''t have time to experiment with it and won''t have
such time in the
forseeable future.

So for those of you who are trying to use it, I''m afraid that you are
on your
own.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net