Shorewall users - Oct 2004 - Appreciate help with Shorewall and VPN

Hello all,

I had setup shorewall before succesfully with a normal LAN to internet 
connection. Now I''m connected to the internet via VPN and I got
problems
with configuring Shorewall. Any help is appreciated.

This is my setup:

- Gentoo Linux laptop (kernel gentoo-dev-sources-2.6.8.1) with Shorewall 
  2.0.4 (setup for Standalone one interface) and iptables 1.2.11
- VPN client is "vpnc" from http://www.unix-ag.uni-kl.de/~massar/vpnc/
(Free client for Cisco VPN routing software)
- WLAN card that is configured to use dhcp

This is the way I connect:

1. The WLAN card (eth1) gets a non nonrfc1918 IP address assigned by a 
dhcp server
2. I start the VPN client vpnc. It connects using IPSEC. Afterwards 
ifconfig shows these devices:

eth1      Protokoll:Ethernet  Hardware Adresse 00:0C:F1:2A:35:A7
           inet Adresse:134.130.244.15  Bcast:134.130.247.255 
Maske:255.255.252.0
           UP BROADCAST NOTRAILERS MULTICAST  MTU:1412  Metric:1
           RX packets:38102 errors:0 dropped:0 overruns:0 frame:0
           TX packets:6138 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:1000
           RX bytes:12946513 (12.3 Mb)  TX bytes:811028 (792.0 Kb)
           Interrupt:10 Basisadresse:0x1000 Speicher:d0000000-d0000fff

lo        Protokoll:Lokale Schleife
           inet Adresse:127.0.0.1  Maske:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:184 errors:0 dropped:0 overruns:0 frame:0
           TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:0
           RX bytes:16247 (15.8 Kb)  TX bytes:16247 (15.8 Kb)

vpnlink   Protokoll:UNSPEC  Hardware Adresse 
00-00-FF-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet Adresse:134.130.240.112  P-z-P:134.130.240.112 
Maske:255.255.255.255
           UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
           RX packets:4155 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3044 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:10
           RX bytes:5320404 (5.0 Mb)  TX bytes:280959 (274.3 Kb)

I setup Shorewall''s interface config file like this:

net eth1 detect norfc1918,routefilter,dhcp,tcpflags

I found the Shorewall IPSEC documentation, but I''m confused. The VPN 
admins write about firewalls in their FAQ:

"Firewall have to be disabled in case you''re using WLAN. However, 
experts can try to setup their firewall with following infos:

UDP Port: 10.000
and respectively
TCP Port: 10.000
and respectively
UDP 500 for IPSec Handshake
Protokoll: ESP (50)

In the Shorewall guide to VPN I found the suggested rules for IPSEC DNAT:

DNAT	net:192.0.2.224	loc:192.168.1.12	50
DNAT	net:192.0.2.224	loc:192.168.1.12	udp	500

But how would I use them with ever changing IP adresses for eth1 and the 
vpnlink device which is created by vpnc?

Which guide do I have to follow? The IPSEC guide or the VPN guide? And 
how would I best do so?

Help appreciated!



Regards

Sebastian

Hello all,

I had setup shorewall before succesfully with a normal LAN to internet 
connection. Now I''m connected to the internet via VPN and I got
problems
with configuring Shorewall. Any help is appreciated.

This is my setup:

- Gentoo Linux laptop (kernel gentoo-dev-sources-2.6.8.1) with Shorewall 
  2.0.4 (setup for Standalone one interface) and iptables 1.2.11
- VPN client is "vpnc" from http://www.unix-ag.uni-kl.de/~massar/vpnc/
(Free client for Cisco VPN routing software)
- WLAN card that is configured to use dhcp

This is the way I connect:

1. The WLAN card (eth1) gets a non nonrfc1918 IP address assigned by a 
dhcp server
2. I start the VPN client vpnc. It connects using IPSEC. Afterwards 
ifconfig shows these devices:

eth1      Protokoll:Ethernet  Hardware Adresse 00:0C:F1:2A:35:A7
           inet Adresse:134.130.244.15  Bcast:134.130.247.255 
Maske:255.255.252.0
           UP BROADCAST NOTRAILERS MULTICAST  MTU:1412  Metric:1
           RX packets:38102 errors:0 dropped:0 overruns:0 frame:0
           TX packets:6138 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:1000
           RX bytes:12946513 (12.3 Mb)  TX bytes:811028 (792.0 Kb)
           Interrupt:10 Basisadresse:0x1000 Speicher:d0000000-d0000fff

lo        Protokoll:Lokale Schleife
           inet Adresse:127.0.0.1  Maske:255.0.0.0
           UP LOOPBACK RUNNING  MTU:16436  Metric:1
           RX packets:184 errors:0 dropped:0 overruns:0 frame:0
           TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:0
           RX bytes:16247 (15.8 Kb)  TX bytes:16247 (15.8 Kb)

vpnlink   Protokoll:UNSPEC  Hardware Adresse 
00-00-FF-00-00-00-00-00-00-00-00-00-00-00-00-00
           inet Adresse:134.130.240.112  P-z-P:134.130.240.112 
Maske:255.255.255.255
           UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
           RX packets:4155 errors:0 dropped:0 overruns:0 frame:0
           TX packets:3044 errors:0 dropped:0 overruns:0 carrier:0
           Kollisionen:0 Sendewarteschlangenlänge:10
           RX bytes:5320404 (5.0 Mb)  TX bytes:280959 (274.3 Kb)

I setup Shorewall''s interface config file like this:

net eth1 detect norfc1918,routefilter,dhcp,tcpflags

I found the Shorewall IPSEC documentation, but I''m confused. The VPN 
admins write about firewalls in their FAQ:

"Firewall have to be disabled in case you''re using WLAN. However, 
experts can try to setup their firewall with following infos:

UDP Port: 10.000
and respectively
TCP Port: 10.000
and respectively
UDP 500 for IPSec Handshake
Protokoll: ESP (50)

In the Shorewall guide to VPN I found the suggested rules for IPSEC DNAT:

DNAT	net:192.0.2.224	loc:192.168.1.12	50
DNAT	net:192.0.2.224	loc:192.168.1.12	udp	500

But how would I use them with ever changing IP adresses for eth1 and the 
vpnlink device which is created by vpnc?

Which guide do I have to follow? The IPSEC guide or the VPN guide? And 
how would I best do so?

Help appreciated!



Regards

Sebastian

Sebastian Kemper schrieb:
> Hello all,
> 
> I had setup shorewall before succesfully with a normal LAN to internet 
> connection. Now I''m connected to the internet via VPN and I got
problems
> with configuring Shorewall. Any help is appreciated.
> 
> This is my setup:
> 
> - Gentoo Linux laptop (kernel gentoo-dev-sources-2.6.8.1) with Shorewall 
>  2.0.4 (setup for Standalone one interface) and iptables 1.2.11
> - VPN client is "vpnc" from
http://www.unix-ag.uni-kl.de/~massar/vpnc/
> (Free client for Cisco VPN routing software)
> - WLAN card that is configured to use dhcp
> 
> This is the way I connect:
> 
> 1. The WLAN card (eth1) gets a non nonrfc1918 IP address assigned by a 
> dhcp server
> 2. I start the VPN client vpnc. It connects using IPSEC. Afterwards 
> ifconfig shows these devices:
> 
> eth1      Protokoll:Ethernet  Hardware Adresse 00:0C:F1:2A:35:A7
>           inet Adresse:134.130.244.15  Bcast:134.130.247.255 
> Maske:255.255.252.0
>           UP BROADCAST NOTRAILERS MULTICAST  MTU:1412  Metric:1
>           RX packets:38102 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:6138 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:1000
>           RX bytes:12946513 (12.3 Mb)  TX bytes:811028 (792.0 Kb)
>           Interrupt:10 Basisadresse:0x1000 Speicher:d0000000-d0000fff
> 
> lo        Protokoll:Lokale Schleife
>           inet Adresse:127.0.0.1  Maske:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:184 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:184 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:0
>           RX bytes:16247 (15.8 Kb)  TX bytes:16247 (15.8 Kb)
> 
> vpnlink   Protokoll:UNSPEC  Hardware Adresse 
> 00-00-FF-00-00-00-00-00-00-00-00-00-00-00-00-00
>           inet Adresse:134.130.240.112  P-z-P:134.130.240.112 
> Maske:255.255.255.255
>           UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1412  Metric:1
>           RX packets:4155 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:3044 errors:0 dropped:0 overruns:0 carrier:0
>           Kollisionen:0 Sendewarteschlangenlänge:10
>           RX bytes:5320404 (5.0 Mb)  TX bytes:280959 (274.3 Kb)
> 
> I setup Shorewall''s interface config file like this:
> 
> net eth1 detect norfc1918,routefilter,dhcp,tcpflags
> 
> I found the Shorewall IPSEC documentation, but I''m confused. The
VPN
> admins write about firewalls in their FAQ:
> 
> "Firewall have to be disabled in case you''re using WLAN.
However,
> experts can try to setup their firewall with following infos:
> 
> UDP Port: 10.000
> and respectively
> TCP Port: 10.000
> and respectively
> UDP 500 for IPSec Handshake
> Protokoll: ESP (50)
> 
> In the Shorewall guide to VPN I found the suggested rules for IPSEC DNAT:
> 
> DNAT    net:192.0.2.224    loc:192.168.1.12    50
> DNAT    net:192.0.2.224    loc:192.168.1.12    udp    500
> 
> But how would I use them with ever changing IP adresses for eth1 and the 
> vpnlink device which is created by vpnc?
> 
> Which guide do I have to follow? The IPSEC guide or the VPN guide? And 
> how would I best do so?
> 
> Help appreciated!
> 
> 
> 
> Regards
> 
> Sebastian
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe: 
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
> 
> 
Sorry for the double post!

After some thinking about the whole thing it appeared to me that I may 
have followed the wrong guide. Because I followed the "1 public IP - 1 
interface guide". But I got two interfaces. The first one is my WLAN 
card which gets a nonrfc address, the second is the (virtual) vpnlink 
device. Btw. the interface that is connected to the internet is the 
vpnlin one (that''s what  http://checkip.dyndns.org/ shows), so I guess 
my choice to chose eth1 as the net device in /etc/shorewall/interfaces 
is wrong. Can you point me into the right direction regarding which 
guide to follow and if and what part of the IPSEC guide is also neccessary?

Thanks!

Sebastian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian Kemper wrote:
> Can you point me into the right direction regarding which
> guide to follow and if and what part of the IPSEC guide is also
neccessary?

There is no guide that covers your configuration but yours is similar to
the one-interface guide when used with PPTP/ADSL (see the section
entitled PPTP/ADSL in the standalone guide). The difference in your case
is that you are using an IPSEC tunnel rather than a PPTP tunnel
(although the UDP and TCP port 100000 is a real mystery to me).

Hope that gets you started.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBYWtNO/MAbZfjDLIRAjQyAJ9gl6oCxcprnfNeajiN2ZU+mbHhTACfT2Wz
0w+gnbDsul0RbR9cZblQ/GY=Jcxt
-----END PGP SIGNATURE-----

Tom Eastep schrieb:
> Sebastian Kemper wrote:
> 
> 
>>>Can you point me into the right direction regarding which
>>>guide to follow and if and what part of the IPSEC guide is also
> 
> neccessary?
> 
> There is no guide that covers your configuration but yours is similar to
> the one-interface guide when used with PPTP/ADSL (see the section
> entitled PPTP/ADSL in the standalone guide). The difference in your case
> is that you are using an IPSEC tunnel rather than a PPTP tunnel
> (although the UDP and TCP port 100000 is a real mystery to me).
> 
> Hope that gets you started.
> 
> -Tom
Hello,

thank you very much for your tip. Now I can access the internet with 
shorewall running. But I''d like to now your opinion if my settings are 
ok :)
This is what I got:

grep -v ^# < interfaces
vpn     eth1            detect       dhcp
net     vpnlink         detect       norfc1918,routefilter,dhcp,tcpflags

grep -v ^# < policy
fw              net             ACCEPT
net             all             DROP            info
all             all             REJECT          info

/etc/shorewall/rules is totally commented

grep -v ^# < tunnels
ipsec                   vpn     0.0.0.0/0

grep -v ^# < zones
vpn     VPN             VPN Client
net     Net             Internet

I guess this isn''t much :) But if this is a safe setup I''d
feel much
better. What do you think of it?

Thanks!

Sebastian

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sebastian Kemper wrote:
> Tom Eastep schrieb:
>
>> Sebastian Kemper wrote:
>>
>>
>>>> Can you point me into the right direction regarding which
>>>> guide to follow and if and what part of the IPSEC guide is also
>>
>>
>> neccessary?
>>
>> There is no guide that covers your configuration but yours is similar
to
>> the one-interface guide when used with PPTP/ADSL (see the section
>> entitled PPTP/ADSL in the standalone guide). The difference in your
case
>> is that you are using an IPSEC tunnel rather than a PPTP tunnel
>> (although the UDP and TCP port 100000 is a real mystery to me).
>>
>> Hope that gets you started.
>>
>> -Tom
>
>
> Hello,
>
> thank you very much for your tip. Now I can access the internet with
> shorewall running. But I''d like to now your opinion if my settings
are
> ok :)
> This is what I got:
>
> grep -v ^# < interfaces
> vpn     eth1            detect       dhcp
> net     vpnlink         detect       norfc1918,routefilter,dhcp,tcpflags
>
> grep -v ^# < policy
> fw              net             ACCEPT
> net             all             DROP            info
> all             all             REJECT          info
>
> /etc/shorewall/rules is totally commented
>
> grep -v ^# < tunnels
> ipsec                   vpn     0.0.0.0/0
>
> grep -v ^# < zones
> vpn     VPN             VPN Client
> net     Net             Internet
>
> I guess this isn''t much :) But if this is a safe setup
I''d feel much
> better. What do you think of it?
>
Looks fine.

- -Tom
- --
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFBYX2FO/MAbZfjDLIRAgEWAKCJEAPAVDmxIKi+brYBKJteh3sScACcCVPm
I0qFTx3guKtWT4zU/me+eQE=dvr7
-----END PGP SIGNATURE-----

> Looks fine.
> 
> -Tom

Thanks so much! W00t!

Sebastian