Tom Eastep
2004-Oct-06 08:34 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello, > > > now I solved one problem, leaving the other unsolved still. > > >>>> 2. >>>> Machine A and B have the IP-number 192.168.[176,177].1, but they >>>> are not able to ping to the other networks side. >>>> 192.168.176.1 cannot reach any machine in 192.168.177.0/24 and vice >>>> versa. >>>> >>>> I think this could be a problem of my ipsec SPD, but I am not sure. >>>> I also tried to add two more SPDs, but with no success. >> >>I think I will try with a second tunnel, since my first tunnel only >>connects the two networks and not the two gateway machines theiselves. > > > I added a sainfo stanza to racoon.conf to build a tunnel between the > public IP adresses of both gateway machines and now I can ping to and from > 192.168.[176/177].1 >You can also do that with two additional entries in your setkey.conf file. Here is mine -- it implements a host<->network tunnel (sorry for the folding). flush; spdflush; # Add some SPD rules spdadd 64.139.97.48/32 206.124.146.176/32 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require; spdadd 206.124.146.176/32 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require; spdadd 192.168.1.0/24 64.139.97.48/32 any -P in ipsec esp/tunnel/206.124.146.176-64.139.97.48/require; spdadd 64.139.97.48/32 192.168.1.0/24 any -P out ipsec esp/tunnel/64.139.97.48-206.124.146.176/require; - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZBCbO/MAbZfjDLIRAoN3AKCCbYevvZq6GlKblnIzd6v/XF6L6wCgvzjn RKzqG+5R2zIt4Y/XB+wJFG4=BK1V -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-06 08:36 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> > > I patched "policy" inside, but ipsec-xx patches did not apply (13 of14 hunks> failed). Do I need ipsec-xx patches? >Yes -- the policy patch is useless without the ipsec-xx patches. Without the patches, IPSEC traffic only passes thru Netfilter once (after it has been encrypted on output and after it has been decrypted on input IIRC). Without the ipsec patches, you need to set up Shorewall as described in the regular IPSEC documentation -- you cannot use the new features in Shorewall 2.1. I believe that Kay Obermueller was also experiencing problems with the ipsec-nn patches and 2.6.8. I''ve copied her in the hope that she may have found a solution. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZBD7O/MAbZfjDLIRAuEQAKCaTWJjaug7qJ29WZIqIY2nmfx+4gCfejLi jRdzYQJ/60qzl+ZQ1AgAQ1Q=rbe1 -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-06 08:38 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:>>> >>> 1. >>> when 192.168.177.21 connects to 192.168.176.2 pop3 then I can issue >>> commands, but I cannot RETR emails. > > > Could this be a MTU issue?Yes I suppose that it could be -- thankfully, I don''t have to deal with PPPoE on either end of my tunnel so I can''t say what problems might occur there. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZBGOO/MAbZfjDLIRAhsVAJkBSWPq3dQPf90nbxPwk154HfIoKACeJb/n nb4/mAP3UXZ/vGrYANtNKjU=pR8E -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-06 12:00 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Solution: Add more SPDs! > Not only add an SPD for each tunnel, see below: > > > # network coupling > spdadd 192.168.176.0/24 192.168.177.0/24 any -P out \ > ipsec esp/tunnel/123.456.135.202-123.456.139.122/require; > spdadd 192.168.177.0/24 192.168.176.0/24 any -P in \ > ipsec esp/tunnel/123.456.139.122-123.456.135.202/require; > > # gateway to gateway > spdadd 123.456.135.202/32 123.456.139.122/32 any -P out \ > ipsec esp/tunnel/123.456.135.202-123.456.139.122/require; > spdadd 123.456.139.122/32 123.456.135.202/32 any -P in \ > ipsec esp/tunnel/123.456.139.122-123.456.135.202/require; > > # gateway A to network B + gateway B to network A > spdadd 123.456.135.202/32 192.168.177.0/24 any -P out \ > ipsec esp/tunnel/123.456.135.202-123.456.139.122/require; > spdadd 123.456.139.122/32 192.168.176.0/24 any -P in \ > ipsec esp/tunnel/123.456.139.122-123.456.135.202/require; >This is shown at http://shorewall.net/IPSEC-2.6.html (I updated the article on 2004-10-01 to show the 6 SPD entries needed for full connectivity). - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZEDTO/MAbZfjDLIRAjQtAJ0XqBqY16JAqmeUq/mUQIz3kRy+sgCeJKUb QUICoe5jItdiv0gyOlP8VKc=t2Uj -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-06 13:27 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello Tom! > > > >>This is shown at http://shorewall.net/IPSEC-2.6.html (I updated the >>article on 2004-10-01 to show the 6 SPD entries needed for full >>connectivity). > > > After further investigation, i came to the conclusion, that you need > 8 SPD entries in order to cover every possible interconnection. > > It is really complicated - I only manage to understand it if I > draw it on paper :)You are correct -- I''ve added the two missing rules. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZFUtO/MAbZfjDLIRArQzAKC0N5g8xKmZh0QQil8X8oUeaZg/4wCgmyWT aCfb0gVmcp3cojKihWi/iTM=KNiv -----END PGP SIGNATURE-----
class wrote on 06/10/2004 11:18:48:> Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all all REJECT info > > > rules: (Machine A) > ------ > ACCEPT net:192.168.177.0/24 loc all > ACCEPT loc net:192.168.177.0/24 allshouldn''t 192.168.177.0/24 be in vpn zone for Machine A? and if that''s so, you don''t need this rule, you already has a policy stating this...> > > rules: (Machine B) > ------ > ACCEPT net:192.168.176.0/24 loc all > ACCEPT loc net:192.168.176.0/24 allsame here? cheers, ________________________ Eduardo Ferreira Icatu Holding S.A. Supervisor de TI (5521) 3804-8606
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote:> Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all all REJECT info > > > rules: (Machine A) > ------ > ACCEPT net:192.168.177.0/24 loc all > ACCEPT loc net:192.168.177.0/24 all > > > rules: (Machine B) > ------ > ACCEPT net:192.168.176.0/24 loc all > ACCEPT loc net:192.168.176.0/24 allEduardo has already pointed out the problem with your rules.> > > tunnels: (Machine A and B) > -------- > ipsec net IP_OF_OTHER_SIDE > > > hosts: > ------ > vpn ppp0:192.168.[176,177].0/24 ipsecSo I guess that your internet connection uses PPPoE?> > > start: > ------ > /etc/racoon/setkey.conf > > > /etc/racoon/setkey.conf: (in and out swapped between machine A and B) > ------------------------ > #!/usr/sbin/setkey -f > flush; > spdflush; > spdadd 192.168.177.0/24 192.168.176.0/24 any -P out > ipsec esp/tunnel/MACHINE_A-MACHINE_B/require; > spdadd 192.168.176.0/24 192.168.177.0/24 any -P in > ipsec esp/tunnel/MACHINE_A-MACHINE_B /require;I assume that the last actually reads MACHINE_B-MACHINE_A> > > > > what works: > - pinging from clients within the left network to the right network > and vice versa works (192.168.176.2-254 to 192.168.177.2-254) > - VNC from a machine in network A to a machine in network B works > > > problems: > > 1. > when 192.168.177.21 connects to 192.168.176.2 pop3 then I can issue > commands, but I cannot RETR emails. > > Sending emails to the same IP works fine. > > > 2. > Machine A and B have the IP-number 192.168.[176,177].1, but they > are not able to ping to the other networks side. > 192.168.176.1 cannot reach any machine in 192.168.177.0/24 and vice > versa. > > I think this could be a problem of my ipsec SPD, but I am not sure. > I also tried to add two more SPDs, but with no success. >Claas, First of all, have you installed the ipsec-netfilter patches yet? The ruleset that Shorewall creates under 2.1.* assumes that those patches are in place and will likely give you poor results if the patches are missing. Secondly, because you are running Shorewall 2.1.x and using features only available in 2.1, we really should be looking at this problem on the Development list. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZAhyO/MAbZfjDLIRAuJOAKCjbRYG7T+DpFp86w4kPQ4yxHbxfACgwxle 8JyvLpBJx1NuyroPwLwG4GE=NbBF -----END PGP SIGNATURE-----
Tom Eastep
2004-Oct-06 16:01 UTC
[Shorewall-devel] Re: [Shorewall-users] IPsec problems with tunneled networks
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote:> claas@rootdir.de wrote: > >>>Hello Tom! >>> >>> >>> >>> >>>>This is shown at http://shorewall.net/IPSEC-2.6.html (I updated the >>>>article on 2004-10-01 to show the 6 SPD entries needed for full >>>>connectivity). >>> >>> >>>After further investigation, i came to the conclusion, that you need >>>8 SPD entries in order to cover every possible interconnection. >>> >>>It is really complicated - I only manage to understand it if I >>>draw it on paper :) > > > You are correct -- I''ve added the two missing rules. >I have also updated the definition of the ''vpn'' zones to include the remote gateway in the zone. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBZHlCO/MAbZfjDLIRAtyCAKC6fNllntTol3vDagHf2B80jK4mDQCgy2GY aulGfJp1+klwcXbShdnS1NM=6gut -----END PGP SIGNATURE-----