Shorewall users - Feb 2004 - {Spam} shorewall-vpn with cisco router(vlan) problem

Hi everyone. I am so baffled by the following problem:
Office 1 is using ADSL and it is building a VPN tunnel with IPSEC to
Office 2. Both ends are using shorewall/freeswan firewalls.

Diagram:
Office1 fw --- VPN TUNNEL --- Office2 fw --- cisco router ----- VLANS
                                |
                               DMZ

Office 1 has the following interfaces:
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:44:6d:97:c0 brd ff:ff:ff:ff:ff:ff
    inet 210.23.146.138/30 brd 210.23.146.139 scope global eth0
    inet 210.23.146.190/32 scope global eth0 (1-1 nat)
    inet 210.23.146.189/32 scope global eth0 (1-1 nat)
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:44:7e:04:82 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.254/24 brd 192.168.1.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:10:dc:34:f5:46 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.254/24 brd 192.168.2.255 scope global eth2
41: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:02:44:6d:97:c0 brd ff:ff:ff:ff:ff:ff
    inet 210.23.146.138/30 brd 210.23.146.139 scope global ipsec0

Office 2 has the following interfaces:
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:44:7e:04:0e brd ff:ff:ff:ff:ff:ff
    inet 203.221.216.106/30 brd 203.221.216.107 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:02:44:7e:04:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.254.252/24 brd 192.168.254.255 scope global eth1
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
    link/ether 00:0c:76:54:c9:c1 brd ff:ff:ff:ff:ff:ff
    inet 203.221.217.161/27 brd 203.221.217.191 scope global eth2
    inet 192.168.240.252/24 brd 192.168.240.255 scope global eth2:0
121: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
    link/ether 00:02:44:7e:04:0e brd ff:ff:ff:ff:ff:ff
    inet 203.221.216.106/30 brd 203.221.216.107 scope global ipsec0
Eth2 at office 2 has an alias of 192.168.240.252/24 (for DMZ).

At office 2, there''s a cisco router (192.168.254.254/24) using VLAN.
This router also takes care of all routing to other VLAN subnets.
>From a PC at office 1, I am able to ping 192.168.240.x (the DMZ at
office 2) and also the interfaces in office 2''s firewall. However, I am
not able to ping the router (192.168.254.254).

If I am logged in to office 2''s firewall, I am able to ping the cisco
router.

Then, I am trying to login to a PC in one of the VLAN (192.168.5.3) from
office 2''s firewall, and am able to do that. From there, I can browse
the internet through the office 2''s firewall. I can also ping office
2''s
firewall from the 192.168.5.x VLAN. But when I am trying to:
- ping/traceroute 192.168.1.3 (a PC at office 1)
- ping/traceroute 192.168.240.190 (server in DMZ at office 2)
all packets stop at the cisco router (192.168.254.254).

Can someone give me some enlightment?

Further info:
Both offices are 2 nodes vpn (not a hub).

Office 1:
Routing:
210.23.146.136/30 dev eth0  scope link
210.23.146.136/30 dev ipsec0  proto kernel  scope link  src
210.23.146.138
192.168.2.0/24 dev eth2  scope link
192.168.1.0/24 dev eth1  scope link
192.168.0.0/16 via 210.23.146.137 dev ipsec0
127.0.0.0/8 dev lo  scope link
default via 210.23.146.137 dev eth0

Shorewall is using one-to-one nat.
loc             net             ACCEPT
net             all             DROP            ULOG
all             all             DROP            ULOG
loc             vpn             ACCEPT          ULOG
vpn             loc             ACCEPT          ULOG
vpn             fw              ACCEPT          ULOG
fw              vpn             ACCEPT          ULOG

Office 2:
Routing:
203.221.216.104/30 dev eth0  scope link
203.221.216.104/30 dev ipsec0  proto kernel  scope link  src
203.221.216.106
203.221.217.160/27 dev eth2  scope link
192.168.7.0/24 via 192.168.254.254 dev eth1
192.168.23.0/24 via 192.168.254.254 dev eth1
192.168.240.0/24 dev eth2  proto kernel  scope link  src 192.168.240.252
192.168.5.0/24 via 192.168.254.254 dev eth1
192.168.37.0/24 via 192.168.254.254 dev eth1
192.168.3.0/24 via 192.168.254.254 dev eth1
192.168.35.0/24 via 192.168.254.254 dev eth1
192.168.1.0/24 via 203.221.216.105 dev ipsec0
192.168.17.0/24 via 192.168.254.254 dev eth1
192.168.0.0/24 via 192.168.254.254 dev eth1
192.168.15.0/24 via 192.168.254.254 dev eth1
192.168.13.0/24 via 192.168.254.254 dev eth1
192.168.250.0/24 via 192.168.254.254 dev eth1
192.168.11.0/24 via 192.168.254.254 dev eth1
192.168.27.0/24 via 192.168.254.254 dev eth1
192.168.9.0/24 via 192.168.254.254 dev eth1
192.168.25.0/24 via 192.168.254.254 dev eth1
192.168.254.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 203.221.216.105 dev eth0

Shorewall policy:
loc             net             ACCEPT          ULOG
loc             dmz             ACCEPT          ULOG
net             fw              DROP            ULOG
net             all             DROP            ULOG
all             all             DROP            ULOG
loc             vpn             ACCEPT          ULOG
vpn             loc             ACCEPT          ULOG
dmz             vpn             ACCEPT          ULOG
vpn             dmz             ACCEPT          ULOG
fw              vpn             ACCEPT          ULOG
vpn             fw              ACCEPT          ULOG

Ping from PC at office 1 to office 2 firewall (successful):
Shorewall:vpn2fw:ACCEPT: IN=ipsec0
OUTMAC=00:02:44:7e:04:0e:00:01:64:db:74:70:08:00  SRC=192.168.1.12
DST=192.168.254.252 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=11534 SEQ=768

Ping from PC at office 1 to router(192.168.254.254) at office 2 (fail):
Shorewall:vpn2loc:ACCEPT: IN=ipsec0 OUT=eth1
MAC=00:02:44:7e:04:0e:00:01:64:db:74:70:08:00  SRC=192.168.1.12
DST=192.168.254.254 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=11790 SEQ=1024

Ping from PC at office 1 to office 2 DMZ via VPN (successful):
Shorewall:vpn2dmz:ACCEPT: IN=ipsec0 OUT=eth2
MAC=00:02:44:7e:04:0e:00:01:64:db:74:70:08:00  SRC=192.168.1.12
DST=192.168.240.165 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP
TYPE=8 CODE=0 ID=12046 SEQ=256

Ping from PC at office 1 to VLAN 192.168.5.3 at office 2 (fail):
Shorewall:vpn2loc:ACCEPT: IN=ipsec0 OUT=eth1
MAC=00:02:44:7e:04:0e:00:01:64:db:74:70:08:00  SRC=192.168.1.12
DST=192.168.5.3 LEN=84 TOS=00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=12302 SEQ=512

------------------------

Lito Kusnadi, B.Sc. CCNA
System Engineer
React Solutions
(lito@reactsolutions.com)

Note: The information contained in this transmission may be confidential
and intended for the addressee(s) only. If you receive this email in
error please notify the sender immediately and delete this message and
any attachments from your system. Do not disclose the contents of this
message to any other person nor make any copies. Violation of this
notice may be unlawful.

On Friday 20 February 2004 06:16 am, Lito Kusnadi wrote:
> If I am logged in to office 2''s firewall, I am able to ping the
cisco
> router.
>
> Then, I am trying to login to a PC in one of the VLAN (192.168.5.3) from
> office 2''s firewall, and am able to do that. From there, I can
browse
> the internet through the office 2''s firewall. I can also ping
office 2''s
> firewall from the 192.168.5.x VLAN. But when I am trying to:
> - ping/traceroute 192.168.1.3 (a PC at office 1)
> - ping/traceroute 192.168.240.190 (server in DMZ at office 2)
> all packets stop at the cisco router (192.168.254.254).
>
> Can someone give me some enlightment?
>
Sounds like the Cisco is missing a default route through the office 2 
firewall.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net