Hi all, I hate IPSEC. that said, I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I used to NAT a external Public IP to a private local IP and use rules to ACCEPT protocol 50 (esp) and udp/500 from the remote IPSEC server to the local box and vice-versa. It worked. The files affected and lines related are: NAT file: ### # NAT TO IPSEC TUNNEL # 200.173.215.67 eth0 192.168.231.150 NO NO rules file: # rules to IPSEC TUNNEL Traffic # ACCEPT net:200.205.145.83 dmz:192.168.231.150 50 - ACCEPT dmz:192.168.231.150 net:200.205.145.83 50 - ACCEPT net:200.205.145.83 dmz:192.168.231.150 udp 500 ACCEPT dmz:192.168.231.150 net:200.205.145.83 udp 500 Last week I started upgrading/reinstalling this firewall in the new 2.0.1 version and suddenly the tunnel does not work any more with the same rules. If I tcpdump the external interface I get: shorewall]# tcpdump -i eth0 host 200.205.145.83 tcpdump: listening on eth0 12:12:55.385384 200.205.145.83 > 200.173.215.67: ESP(spi=0x971760a6,seq=0x8) 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 protocol 50 unreachable [tos 0xc0] 12:12:56.652594 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041cf5,seq=0x5) and from the internal interface: shorewall]# tcpdump -i eth1 host 200.205.145.83 tcpdump: listening on eth1 12:17:36.653647 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041cf5,seq=0x21) 12:17:46.653826 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041cf5,seq=0x22) The rules and nat files where not modified. can someone help me? TIA, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> Hi all, > > I hate IPSEC. that said, > > I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I used > to NAT a external Public IP to a private local IP and use rules to ACCEPT > protocol 50 (esp) and udp/500 from the remote IPSEC server to the local > box and vice-versa. It worked. The files affected and lines related are: > NAT file: > ### > # NAT TO IPSEC TUNNEL > # > 200.173.215.67 eth0 192.168.231.150 NO NO > rules file: > # rules to IPSEC TUNNEL Traffic > # > ACCEPT net:200.205.145.83 dmz:192.168.231.150 50 - > ACCEPT dmz:192.168.231.150 net:200.205.145.83 50 - > ACCEPT net:200.205.145.83 dmz:192.168.231.150 udp 500 > ACCEPT dmz:192.168.231.150 net:200.205.145.83 udp 500 > Last week I started upgrading/reinstalling this firewall in the new 2.0.1 > version and suddenly the tunnel does not work any more with the same > rules. If I tcpdump the external interface I get: > shorewall]# tcpdump -i eth0 host 200.205.145.83 > tcpdump: listening on eth0 > 12:12:55.385384 200.205.145.83 > 200.173.215.67: > ESP(spi=0x971760a6,seq=0x8) > 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 > protocol 50 unreachable [tos 0xc0] > 12:12:56.652594 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041cf5,seq=0x5) > and from the internal interface: > shorewall]# tcpdump -i eth1 host 200.205.145.83 > tcpdump: listening on eth1 > 12:17:36.653647 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041cf5,seq=0x21) > 12:17:46.653826 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041cf5,seq=0x22) > > The rules and nat files where not modified. can someone help me?What Shorewall messages are you seeing? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Eduardo Ferreira wrote: > >> Hi all, >> >> I hate IPSEC. that said, >> I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I >> used to NAT a external Public IP to a private local IP and use rules >> to ACCEPT protocol 50 (esp) and udp/500 from the remote IPSEC server >> to the local box and vice-versa. It worked. The files affected and >> lines related are: >> NAT file: >> ### >> # NAT TO IPSEC TUNNEL >> # >> 200.173.215.67 eth0 192.168.231.150 >> NO NO >> rules file: >> # rules to IPSEC TUNNEL Traffic >> # >> ACCEPT net:200.205.145.83 dmz:192.168.231.150 50 - >> ACCEPT dmz:192.168.231.150 net:200.205.145.83 50 - >> ACCEPT net:200.205.145.83 dmz:192.168.231.150 udp 500 >> ACCEPT dmz:192.168.231.150 net:200.205.145.83 udp 500 >> Last week I started upgrading/reinstalling this firewall in the new >> 2.0.1 version and suddenly the tunnel does not work any more with the >> same rules. If I tcpdump the external interface I get: >> shorewall]# tcpdump -i eth0 host 200.205.145.83 >> tcpdump: listening on eth0 >> 12:12:55.385384 200.205.145.83 > 200.173.215.67: >> ESP(spi=0x971760a6,seq=0x8) >> 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 >> protocol 50 unreachable [tos 0xc0] >> 12:12:56.652594 192.168.231.150 > 200.205.145.83: >> ESP(spi=0x6c041cf5,seq=0x5) >> and from the internal interface: >> shorewall]# tcpdump -i eth1 host 200.205.145.83 >> tcpdump: listening on eth1 >> 12:17:36.653647 192.168.231.150 > 200.205.145.83: >> ESP(spi=0x6c041cf5,seq=0x21) >> 12:17:46.653826 192.168.231.150 > 200.205.145.83: >> ESP(spi=0x6c041cf5,seq=0x22) >> >> The rules and nat files where not modified. can someone help me? > > > What Shorewall messages are you seeing? >If you are not seeing any messages, please follow the instructions at http://shorewall.net/support.htm in the paragraph that begins "THIS IS IMPORTANT!" in bold font and forward the results. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Eduardo Ferreira wrote:> Hi all, > > I hate IPSEC. that said, > > I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I used > to NAT a external Public IP to a private local IP and use rules to ACCEPT > protocol 50 (esp) and udp/500 from the remote IPSEC server to the local > box and vice-versa. It worked. The files affected and lines related are: > NAT file: > ### > # NAT TO IPSEC TUNNEL > # > 200.173.215.67 eth0 192.168.231.150 NO NOIf you really have ''NO'' in your file, Shorewall should be giving you a startup error. Is Shorewall really starting ("shorewall show shorewall" does not produce an error when Shorewall is started)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote on 10/05/2004 12:56:03:> Eduardo Ferreira wrote: > > Hi all, > > > > I hate IPSEC. that said, > > > > I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 Iused> > to NAT a external Public IP to a private local IP and use rules toACCEPT> > protocol 50 (esp) and udp/500 from the remote IPSEC server to thelocal> > box and vice-versa. It worked. The files affected and lines relatedare:> > NAT file: > > ### > > # NAT TO IPSEC TUNNEL > > # > > 200.173.215.67 eth0 192.168.231.150 NO NO > > If you really have ''NO'' in your file, Shorewall should be giving you a > startup error.No, the ''NO'' in the nat files where from the previous version. Now they read ''No'' - this one I learned last month during my first firewall reinstallation ;-)> > Is Shorewall really starting ("shorewall show shorewall" does not > produce an error when Shorewall is started)?No, I can''t see no shorewall messages. I can''t issue a shorewall clear because I would loose the nat translation. 3). there goes the information asked in "asking support": ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> Tom Eastep wrote on 10/05/2004 12:56:03: > > >>Eduardo Ferreira wrote: >> >>>Hi all, >>> >>>I hate IPSEC. that said, >>> >>>I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I > > used > >>>to NAT a external Public IP to a private local IP and use rules to > > ACCEPT > >>>protocol 50 (esp) and udp/500 from the remote IPSEC server to the > > local > >>>box and vice-versa. It worked. The files affected and lines related > > are: > >>>NAT file: >>>### >>># NAT TO IPSEC TUNNEL >>># >>>200.173.215.67 eth0 192.168.231.150 NO NO >> >>If you really have ''NO'' in your file, Shorewall should be giving you a >>startup error. > > No, the ''NO'' in the nat files where from the previous version. Now they > read ''No'' - this one I learned last month during my first firewall > reinstallation ;-) > > >>Is Shorewall really starting ("shorewall show shorewall" does not >>produce an error when Shorewall is started)? > > No, I can''t see no shorewall messages. I can''t issue a shorewall clear > because I would loose the nat translation. > > 3). there goes the information asked in "asking support": > >Regretably, I don''t see anything wrong with the Netfilter ruleset or with the routing. In fact, the Netfilter connection tracking table shows: unknown 50 597 src=200.205.145.83 dst=200.173.215.67 src=192.168.231.150 dst=200.205.145.83 use=1 I notice two things in the original output that you forwarded: > shorewall]# tcpdump -i eth0 host 200.205.145.83 > tcpdump: listening on eth0 > 12:12:55.385384 200.205.145.83 > 200.173.215.67: > ESP(spi=0x971760a6,seq=0x8) > 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 > protocol 50 unreachable [tos 0xc0] > 12:12:56.652594 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041cf5,seq=0x5) 1) Shorewall doesn''t generate "protocol unreachable" ICMP responses. So the IP stack on the firewall is generating that response. 2) The last packet shows the endpoint in the DMZ sending ESP packets but SNAT isn''t being applied. Not sure if this is an artifact of the way that tcpdump captures output but it looks like somehow the output is bypassing SNAT. According to the "shorewall status" output, that doesn''t seem possible. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> > I notice two things in the original output that you forwarded: > > > shorewall]# tcpdump -i eth0 host 200.205.145.83 > > tcpdump: listening on eth0 > > 12:12:55.385384 200.205.145.83 > 200.173.215.67: > > ESP(spi=0x971760a6,seq=0x8) > > 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 > > protocol 50 unreachable [tos 0xc0] > > 12:12:56.652594 192.168.231.150 > 200.205.145.83: > > ESP(spi=0x6c041cf5,seq=0x5) > > 1) Shorewall doesn''t generate "protocol unreachable" ICMP responses. So > the IP stack on the firewall is generating that response. > > 2) The last packet shows the endpoint in the DMZ sending ESP packets but > SNAT isn''t being applied. Not sure if this is an artifact of the way > that tcpdump captures output but it looks like somehow the output is > bypassing SNAT. According to the "shorewall status" output, that doesn''t > seem possible. >It might be useful to see the output of "tcpdump -ni any host 200.205.145.83" during a connection attempt. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote on 10/05/2004 14:29:58:> Eduardo Ferreira wrote: > > Tom Eastep wrote on 10/05/2004 12:56:03: > >>Eduardo Ferreira wrote: > >> > >>>Hi all, > >>> > >>>I hate IPSEC. that said, > >>> > >>>I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I >> [... snip ...] > I notice two things in the original output that you forwarded: > > > shorewall]# tcpdump -i eth0 host 200.205.145.83 > > tcpdump: listening on eth0 > > 12:12:55.385384 200.205.145.83 > 200.173.215.67: > > ESP(spi=0x971760a6,seq=0x8) > > 12:12:55.385700 200.173.215.67 > 200.205.145.83: icmp: 200.173.215.67 > > protocol 50 unreachable [tos 0xc0] > > 12:12:56.652594 192.168.231.150 > 200.205.145.83: > > ESP(spi=0x6c041cf5,seq=0x5) > > 1) Shorewall doesn''t generate "protocol unreachable" ICMP responses. So > the IP stack on the firewall is generating that response.I noticed it too. Can''t see it in the internal interface though.> > 2) The last packet shows the endpoint in the DMZ sending ESP packets but> SNAT isn''t being applied. Not sure if this is an artifact of the way > that tcpdump captures output but it looks like somehow the output is > bypassing SNAT. According to the "shorewall status" output, that doesn''t> seem possible.idem ibidem. I am booting the firewall now. As a old windows warrior, booting a box is almost irresistible. Thanks, and let''s wait... ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote on 10/05/2004 14:41:59:> Tom Eastep wrote on 10/05/2004 14:29:58: > > Eduardo Ferreira wrote: > > > Tom Eastep wrote on 10/05/2004 12:56:03: > > >>Eduardo Ferreira wrote: > > >> > > >>>I hate IPSEC. that said, > > >>> > > >>>I have a IPSEC Box inside a DMZ intermediate zone. Back in 1.4.8 I> >> [... snip ...]after the boot, the tcpdump seems normal. The .150 doesn''t appears in the external interface (eth0) and there is no icmp: protocol 50 unreachable messages in the tcpdump. Unfortunately, the traffic is still down... there goes the output from tcpdump -ni any host 200.205.145.83: [root@fwdmzatt etc]# tcpdump -ni any host 200.205.145.83 tcpdump: WARNING: Promiscuous mode not supported on the "any" device tcpdump: listening on any 15:15:11.437858 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041d05,seq=0x73) 15:15:11.503253 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xf6) 15:15:14.962727 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xf7) 15:15:16.300635 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xf8) 15:15:20.506943 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xf9) 15:15:21.437888 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041d05,seq=0x74) 15:15:25.856622 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xfa) 15:15:31.435947 192.168.231.150 > 200.205.145.83: ESP(spi=0x6c041d05,seq=0x75) 15:15:36.050993 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xfb) 15:15:37.878714 200.205.145.83 > 200.173.215.67: ESP(spi=0xa1f6169a,seq=0xfc) Well, thanks for your time. I think I don''t have anything else left in my side to be done. I will wait for my counterpart to come back from lunch so that I can make more tests. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:> [root@fwdmzatt etc]# tcpdump -ni any host 200.205.145.83 > tcpdump: WARNING: Promiscuous mode not supported on the "any" device > tcpdump: listening on any > 15:15:11.437858 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041d05,seq=0x73) > 15:15:11.503253 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xf6) > 15:15:14.962727 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xf7) > 15:15:16.300635 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xf8) > 15:15:20.506943 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xf9) > 15:15:21.437888 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041d05,seq=0x74) > 15:15:25.856622 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xfa) > 15:15:31.435947 192.168.231.150 > 200.205.145.83: > ESP(spi=0x6c041d05,seq=0x75) > 15:15:36.050993 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xfb) > 15:15:37.878714 200.205.145.83 > 200.173.215.67: > ESP(spi=0xa1f6169a,seq=0xfc) > > Well, thanks for your time. I think I don''t have anything else left in my > side to be done. I will wait for my counterpart to come back from lunch > so that I can make more tests.Your firewall still isn''t working properly. You are not seeing any traffic from the firewall to the DMZ endpoint. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote on 10/05/2004 15:41:24:> Eduardo Ferreira wrote: > > [... snip ...] > Your firewall still isn''t working properly. You are not seeing any > traffic from the firewall to the DMZ endpoint.yeah, I know. And I can''t understand why. Sorry for the cliché, but: it worked last week... ;-( I''ll try to make more tests later, when my users are gone. Will post any results... Thanks for your help, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote on 10/05/2004 15:50:09:> Tom Eastep wrote on 10/05/2004 15:41:24: > > > Eduardo Ferreira wrote: > > > [... snip ...] > > Your firewall still isn''t working properly. You are not seeing any > > traffic from the firewall to the DMZ endpoint. > yeah, I know. And I can''t understand why. Sorry for the cliché, but: > it worked last week... ;-( > > I''ll try to make more tests later, when my users are gone. Will post any> results... >Tom, the problem was not shorewall related. I''ve just put the IPSEC box directly connected in the internet and the problem still exists. Thanks for your help and sorry for misusing your precious time. ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
Eduardo Ferreira wrote:>> > > Tom, the problem was not shorewall related. I''ve just put the IPSEC box > directly connected in the internet and the problem still exists. >Be sure that you aren''t seeing stale ARP cache problems caused by moving the IP address from one NIC to another. The symptoms could be very similar (be sure that you can ping the upstream router from the IPSEC endpoint). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Oh, no. This one I learned six months ago, when I moved my webmail server to the dmz lan. 4 whole hours till I issued a clear arp in a cisco router... ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606 Tom Eastep <teastep@shorewall.net> Sent by: shorewall-users-bounces@lists.shorewall.net 10/05/2004 18:19 Please respond to Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> To Mailing List for Shorewall Users <shorewall-users@lists.shorewall.net> cc Subject Re: [Shorewall-users] IPSEC box inside DMZ Eduardo Ferreira wrote:>> > > Tom, the problem was not shorewall related. I''ve just put the IPSEC box> directly connected in the internet and the problem still exists. >Be sure that you aren''t seeing stale ARP cache problems caused by moving the IP address from one NIC to another. The symptoms could be very similar (be sure that you can ping the upstream router from the IPSEC endpoint). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm