Hi I hope somebody can offer some advice. I have been trying to setup a VPN between two sites using IPSEC + shorewall. Previously I have used 2.4 kernels with freeswan patches. These generate an "ipsec0" device. That link is using shorewall version 1.2. Now for the new link I am using a late 2.4 kernel from the Debian distribution which has native Linux ipsec code backport patches. Debian also has a patched version of Freeswan and together I have got the VPN setup and running. Shorewall version is 2..0.2f. Now I want to protect it with shorewall. Both ends of the VPN connect to the internet via ADSL. (To complicate things, both ends have dynamic IP''s. However I already have hacked work arounds for this which I have running on my ''old'' 2.4 kernel based VPN for some months.) My setup is based on the document http://www.shorewall.net/IPSEC.htm. To sumarise I have: zones: net Net Internet loc Local Local networks vpn VPN VPN interfaces: - ppp0 "-" tcpflags loc eth0 detect dhcp hosts: vpn ppp0:192.168.39.0/24 net ppp0:0.0.0.0/0 tunnels: ipsec net 0.0.0.0/0 vpn masq ppp0:!192.168.39.0/24 192.168.38.32/27 Both ends have virtually identical setups just the IP range of the subnets are swapped on each end. So far so good. My trouble is when I make a connection from the firewall on one end to the firewall on the other, the traffic on the far end is logged with the source IP of the originating end''s public, dynamic ppp0 address and a destination IP in the 192.168.39.0/24 subnet. This means it gets classified as "net" to "loc" and it gets blocked by policy rules on the far end. With the 2.4 kernel based system all traffic arriving at ipsec0 was classified as zone "vpn", even if the source IP (and destination IP) are public ones, and my policy allows "vpn" to "loc" It has taken me a long day and a long night to work out what is happening, any suggestions on how to fix it? Thanks Ian
Ian Forbes wrote:> My setup is based on the document > http://www.shorewall.net/IPSEC.htm. To sumarise I have: > > zones: > net Net Internet > loc Local Local networks > vpn VPN VPN > > interfaces: > - ppp0 "-" tcpflags > loc eth0 detect dhcp > > hosts: > vpn ppp0:192.168.39.0/24 > net ppp0:0.0.0.0/0 > > tunnels: > ipsec net 0.0.0.0/0 vpn > > masq > ppp0:!192.168.39.0/24 192.168.38.32/27 >Why didn''t you follow the instructions in that document for configuring Shorewall on a 2.6 kernel? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Thursday, 1 July 2004 20:48, Tom Eastep wrote:> Ian Forbes wrote: > > My setup is based on the document > > http://www.shorewall.net/IPSEC.htm. To sumarise I have: > > > > zones: > > net Net Internet > > loc Local Local networks > > vpn VPN VPN > > > > interfaces: > > - ppp0 "-" tcpflags > > loc eth0 detect dhcp > > > > hosts: > > vpn ppp0:192.168.39.0/24 > > net ppp0:0.0.0.0/0 > > > > tunnels: > > ipsec net 0.0.0.0/0 vpn > > > > masq > > ppp0:!192.168.39.0/24 192.168.38.32/27 > > Why didn''t you follow the instructions in that document for > configuring Shorewall on a 2.6 kernel?I thought I had. Where have I deviated from the guidelines? For the record, the setup looks like this. Subnet 192.168.38.0/24 | (eth0 192.168.38.1) Firewall1 (ppp0 public, dynamic IP) | Ipsec VPN | (ppp0 public, dynamic IP) Firewall2 (eth0 192.168.39.1) | Subnet 192.168.39.0/24 Firewall 1 has the above configuration and Firewall 2 has a similar one with 192.168.38 in place of 192.168.39 and vice versa. (I do note that I have masqueraded a /27 portion of the 192.168.38.0 subnet as opposed to the full /24. This is a design decision, not all the machines on that subnet are to get access to the internet. But for the record, if I use 192.168.38.0/24 in its place, it still does not work). Thanks Ian
Ian Forbes wrote:> On Thursday, 1 July 2004 20:48, Tom Eastep wrote: > >>Ian Forbes wrote: >> >>>My setup is based on the document >>>http://www.shorewall.net/IPSEC.htm. To sumarise I have: >>> >>>zones: >>>net Net Internet >>>loc Local Local networks >>>vpn VPN VPN >>> >>>interfaces: >>>- ppp0 "-" tcpflags >>>loc eth0 detect dhcp >>> >>>hosts: >>>vpn ppp0:192.168.39.0/24 >>>net ppp0:0.0.0.0/0 >>> >>>tunnels: >>>ipsec net 0.0.0.0/0 vpn >>> >>>masq >>>ppp0:!192.168.39.0/24 192.168.38.32/27 >> >>Why didn''t you follow the instructions in that document for >>configuring Shorewall on a 2.6 kernel? > > > > I thought I had. Where have I deviated from the guidelines? >Sorry -- I thought I had made it clear in the doc that it''s critical that the ''vpn'' zone be defined before the ''net'' zone in /etc/shorewall/zones but apparently I neglected to stress that point. I''ll update the doc. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> Ian Forbes wrote: > >> On Thursday, 1 July 2004 20:48, Tom Eastep wrote: >>> >>> >>> Why didn''t you follow the instructions in that document for >>> configuring Shorewall on a 2.6 kernel? >> >> I thought I had. Where have I deviated from the guidelines? >> > > Sorry -- I thought I had made it clear in the doc that it''s critical > that the ''vpn'' zone be defined before the ''net'' zone in > /etc/shorewall/zones but apparently I neglected to stress that point. > I''ll update the doc.The document has been updated -- again, please accept my apology. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday, 2 July 2004 0:15, Tom Eastep wrote:> >>Ian Forbes wrote: > >>>My setup is based on the document > >>>http://www.shorewall.net/IPSEC.htm. To sumarise I have: > >>> > >>>zones: > >>>net Net Internet > >>>loc Local Local networks> Sorry -- I thought I had made it clear in the doc that it''s > critical that the ''vpn'' zone be defined before the ''net'' zone in > /etc/shorewall/zones but apparently I neglected to stress that > point. I''ll update the doc.I have tried the following, but it still does not work: zones vpn VPN VPN net Net Internet loc Local Local networks Are you sure you mean that the order of entries in the hosts file is significant? I have the following which I believe is correct: hosts: vpn ppp0:192.168.39.0/24 net ppp0:0.0.0.0/0 When a try a telnet from Firewall 1 onto port "time" of Firewall 2 (for want of a better test) I get this logged on Firewall 2: Jul 2 01:48:07 zslic kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=165.165.210.215 DST=192.168.39.7 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=15321 DF PROTO=TCP SPT=1051 DPT=37 WINDOW=5808 RES=0x00 SYN URGP=0 If I set DYNAMIC_ZONES=Yes in shorewall.conf and then run: shorewall add ppp0:165.165.210.215 vpn on Firewall2, it works. The problem is how to determine the address of the opposite side firewall and to trigger it every time it changes. Regards Ian -- Ian Forbes ZSD http://www.zsd.co.za Office: +27 21 683-1388 Fax: +27 21 674-1106 Snail Mail: P.O. Box 46827, Glosderry, 7702, South Africa
Ian Forbes wrote:> > When a try a telnet from Firewall 1 onto port "time" of Firewall 2 > (for want of a better test) I get this logged on Firewall 2: > > Jul 2 01:48:07 zslic kernel: Shorewall:net2all:DROP:IN=ppp0 OUT= > MAC= SRC=165.165.210.215 DST=192.168.39.7 LEN=60 TOS=0x10 PREC=0x00 > TTL=64 ID=15321 DF PROTO=TCP SPT=1051 DPT=37 WINDOW=5808 RES=0x00 > SYN URGP=0Ian, If you have defined a net-to-net tunnel (which is the only type that the Shorewall IPSEC 2.6 documentation covers), then traffic from Firewall 2 DOESN''T GO THROUGH THE TUNNEL (and isn''t encrypted). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Friday, 2 July 2004 3:11, Tom Eastep wrote:> If you have defined a net-to-net tunnel (which is the only type > that the Shorewall IPSEC 2.6 documentation covers), then traffic > from Firewall 2 DOESN''T GO THROUGH THE TUNNEL (and isn''t > encrypted).My Freeswan configuration defines 4 tunnels, firewall to firewall, firewall to network, network to firewall and network to network. The firewall to firewall traffic was working and encrypted before installing Shorewall. I have now managed to hack together a working configuration which uses a script to call "shorewall add ... " to add the public IP of each firewall to the opposing firewalls "fw" zone. My solution works but is not very elegant. When I have had some sleep I will review it to see if I can see any security issues. Does anybody know if there is a way that freeswan can be programmed to call a script whenever a tunnel comes up or goes down? Thanks Ian PS: I have found Shorewall to be a pretty effective combination of useability and flexibility for controlling iptables. Thanks for the efforts. (But life might be a little easier if syntax changes between versions was more upwardly compatible.)
Ian Forbes wrote:> > Does anybody know if there is a way that freeswan can be programmed > to call a script whenever a tunnel comes up or goes down?Yes -- search the FreeSwan documentation for ''updown''.> > (But life might be a little easier if syntax changes between > versions was more upwardly compatible.) >Incompatible changes are limited to major releases which only happen once per year or so. Since you were still running 1.2 (which hasn''t been supported since March of last year), upgrading to 2.0 required you to go through the most major change of syntax that has occurred in Shorewall''s history; I seriously doubt that such a major change will ever happen again but the original Shorewall syntax for DNAT and REDIRECT was just too hard for people to understand and had to be replaced. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net