Johannes Graumann
2004-Oct-31  23:00 UTC
Maquerading through IPSECed wireless dropping packets selectively?
Hello, I''m stuck IPSECing my wireless network at home and would appreciate any comments. I appologize in advance if I''m wasting your time with trivia - I''m not a professional and staring at the problem for days from various angles hasn''t done me any good ... My home server/firewall (morannon) is hooked up through an USB to ethernet adapter (eth1) to my DSL modem. Its network card (eth0; 192.168.1.1) serves through a linksys WAP11 wireless in the house (including acting as a dhcp server). The server is masquerading the entire local network (192.168.1.0) to the outside world. It runs a debian 2.6.8 kernel. I have had this setup up and running for month using shorewall and an unencrypted wireless network - so I know the basics. The machine connecting trough the wireless network to the server (and the world) is my laptop (precious), which is being delt 192.168.1.3 by dhcp. It is runnign a home made 2.6.9 kernel. I have set out tunneling the wireless traffic through IPSEC, using openswan and following more or less this document: http://www.natecarlson.com/linux/ipsec-x509.php I have succeeded doing that. I can ping both the server/firewall and outside systems from my laptop and tcpdump on the respective interfaces reports properly ESPed packets. The situation becomes strange when e.g. trying to connect from the laptop to webpages: google.com is accessed without problems for example (all packets being IPSECed), while access to other pages (including shorewall.net e.g.) times out. Connection is established, even the location bar icon shows up and then things grind to a halt. This seems to be associated with errors like:> 11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net: icmp > 247: precious_cabled udp port 32837 unreachableI''ve played around with this a ton and can''t get it to work. I would highly appreciate any hints - kicks in the b... as well (if they propell me into the right direction). Please find Information gathered from morannon below. Thanks a lot for looking at this, Joh> shorewall version2.0.9 --> debian testing *.deb> ip addr show1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:63:ca:c3:ca brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0 inet6 fe80::240:63ff:feca:c3ca/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1540 qdisc pfifo_fast qlen 1000 link/ether 00:10:60:e9:b1:08 brd ff:ff:ff:ff:ff:ff inet 69.111.9.163/24 brd 69.111.9.255 scope global eth1 inet6 fe80::210:60ff:fee9:b108/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noop link/sit 0.0.0.0 brd 0.0.0.0>ip route show192.168.1.3 via 192.168.1.3 dev eth0 69.111.9.0/24 dev eth1 proto kernel scope link src 69.111.9.163 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 default via 69.111.9.162 dev eth1 Outputs of ''shorewall show'' and ''shorewall status'' are attached, as are the contents of my /etc/shorewall directory. Thanks again for taking the time to look through this, Joh
Tom Eastep
2004-Oct-31  23:30 UTC
Re: Maquerading through IPSECed wireless dropping packets selectively?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Johannes Graumann wrote:> > The situation becomes strange when e.g. trying to connect from the > laptop to webpages: google.com is accessed without problems for example > (all packets being IPSECed), while access to other pages (including > shorewall.net e.g.) times out. Connection is established, even the > location bar icon shows up and then things grind to a halt. This seems > to be associated with errors like: > >>11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net: icmp >>247: precious_cabled udp port 32837 unreachable > > > I''ve played around with this a ton and can''t get it to work. I would > highly appreciate any hints - kicks in the b... as well (if they propell > me into the right direction). >You probably need to set the MSS for traffic FROM your wireless zone to 1400 or so. That''s what I have to do to avoid these sorts of problems from my wireless zone. See http://shorewall.net/myfiles.htm -- look at the /etc/shorewall/ipsec file on ''ursa'' which is the system that hosts my IPSEC wireless gateway. Note that you need to be running Shorewall 2.2.0 Beta 1. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBhXWgO/MAbZfjDLIRAiVQAJ4tA1aWLb2ne0pdhDtwQBCfMcsAzQCfcFFQ pRPv5p89phYBfN6Arppt+8s=UKiA -----END PGP SIGNATURE-----
Johannes Graumann
2004-Nov-02  22:41 UTC
Re: Maquerading through IPSECed wireless dropping packets selectively?
I''m looking into this ... Does this require the application of all of the patches below from http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks? Are they all kernel patches? Joh Author: Patrick McHardy <kaber@trash.net> Status: Testing, should be fine [NETFILTER+IPSEC 1/4] This patch adds new output hooks for IPsec. Packets traverse the hooks like this: 1. -> (plain) FORWARD -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTING 2. -> (plain) LOCAL_OUT -> POST_ROUTING -> (encrypted) LOCAL_OUT -> POST_ROUTING Author: Patrick McHardy <kaber@trash.net> Status: Testing, should be fine [NETFILTER+IPSEC 2/4] This patch makes packets decapsulated by IPsec traverse the netfilter input hooks again. Packets traverse the hooks like this: 1. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> LOCAL_IN 2. -> (encrypted) PRE_ROUTING -> LOCAL_IN -> (plain) PRE_ROUTING -> FORWARD Author: Patrick McHardy <kaber@trash.net> Status: Testing [NETFILTER+IPSEC 3/4] This patch adds policy lookups to ip_route_me_harder and makes NAT reroute for any change that affects route/policy in LOCAL_OUT and POST_ROUTING. Author: Patrick McHardy <kaber@trash.net> Status: Testing [NETFILTER+IPSEC 4/4] This patch makes xfrm_policy_check locate the correct policy after NAT. On Sun, 31 Oct 2004 15:30:40 -0800 Tom Eastep <teastep@shorewall.net> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Johannes Graumann wrote: > > > > > The situation becomes strange when e.g. trying to connect from the > > laptop to webpages: google.com is accessed without problems for > > example(all packets being IPSECed), while access to other pages > > (including shorewall.net e.g.) times out. Connection is established, > > even the location bar icon shows up and then things grind to a halt. > > This seems to be associated with errors like: > > > >>11:30:47.273230 IP precious_cabled > dns1.lsanca.sbcglobal.net: icmp > > > >>247: precious_cabled udp port 32837 unreachable > > > > > > I''ve played around with this a ton and can''t get it to work. I would > > highly appreciate any hints - kicks in the b... as well (if they > > propell me into the right direction). > > > > You probably need to set the MSS for traffic FROM your wireless zone > to 1400 or so. That''s what I have to do to avoid these sorts of > problems from my wireless zone. See http://shorewall.net/myfiles.htm > -- look at the /etc/shorewall/ipsec file on ''ursa'' which is the system > that hosts my IPSEC wireless gateway. Note that you need to be running > Shorewall 2.2.0 Beta 1. > > - -Tom > - -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.4 (GNU/Linux) > > iD8DBQFBhXWgO/MAbZfjDLIRAiVQAJ4tA1aWLb2ne0pdhDtwQBCfMcsAzQCfcFFQ > pRPv5p89phYBfN6Arppt+8s> =UKiA > -----END PGP SIGNATURE-----
Tom Eastep
2004-Nov-02  23:40 UTC
Re: Re: Maquerading through IPSECed wireless dropping packets selectively?
On Tue, 2004-11-02 at 14:41, Johannes Graumann wrote:> I''m looking into this ... > > Does this require the application of all of the patches below from > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks?Yes.> Are they all kernel patches? >They are all kernel patches and you also need the ''policy match'' patch in both your kernel and iptables. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Johannes Graumann
2004-Nov-03  06:09 UTC
Re: Maquerading through IPSECed wireless dropping packets selectively?
Thanks Tom, I set out trying that and realized that I can''t get any patches from the patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9 from kernel.org: Massive rejections. Their HOWTO seems to imply (by way of requiring''make dep'') that this only works for 2.4 series kernels? Or is there a 2.6 series version patch-o-matic will actually work with? Sorry to bother you with these trivia, but I can''t find any answers to my 2.6 questions on groups.google.com and the netfilter docu is quite silent about this too... Thanks for any hints, Joh On Tue, 02 Nov 2004 15:40:42 -0800 Tom Eastep <teastep@shorewall.net> wrote:> On Tue, 2004-11-02 at 14:41, Johannes Graumann wrote: > > I''m looking into this ... > > > > Does this require the application of all of the patches below from > > http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-ipsec-01-output-hooks? > > Yes. > > > Are they all kernel patches? > > > > They are all kernel patches and you also need the ''policy match'' patch > in both your kernel and iptables. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
Tom Eastep
2004-Nov-03  14:20 UTC
Re: Re: Maquerading through IPSECed wireless dropping packets selectively?
On Tue, 2004-11-02 at 22:09, Johannes Graumann wrote:> Thanks Tom, > > I set out trying that and realized that I can''t get any patches from the > patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9 from > kernel.org: Massive rejections. Their HOWTO seems to imply (by way of > requiring''make dep'') that this only works for 2.4 series kernels? Or is > there a 2.6 series version patch-o-matic will actually work with? Sorry > to bother you with these trivia, but I can''t find any answers to my 2.6 > questions on groups.google.com and the netfilter docu is quite silent > about this too...You probably were looking at the now retired ''Patch-o-matic''; the current patches (including for 2.6) are in Patch-o-matic-ng. That having been said, other folks have reported on the list that Patch-o-matic-ng and 2.6.9 don''t play nice together yet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Johannes Graumann
2004-Nov-03  17:19 UTC
Re: Maquerading through IPSECed wireless dropping packets selectively?
Tom, Thanks again for your patience. I grabbed 2.6.8.1 from Kernel.org and I can apply some patches from patch-o-matic-ng to it, but not the ipsec ones ... This is just to raw for me and I''ll let it rest for now. Is there any word when the IPSEC matching will be merged into the main line? Joh On Wed, 03 Nov 2004 06:20:39 -0800 Tom Eastep <teastep@shorewall.net> wrote:> On Tue, 2004-11-02 at 22:09, Johannes Graumann wrote: > > Thanks Tom, > > > > I set out trying that and realized that I can''t get any patches from > > the patch-o-matic (cvs or snapshot) to apply to a pristine 2.6.9 > > from kernel.org: Massive rejections. Their HOWTO seems to imply (by > > way of requiring''make dep'') that this only works for 2.4 series > > kernels? Or is there a 2.6 series version patch-o-matic will > > actually work with? Sorry to bother you with these trivia, but I > > can''t find any answers to my 2.6 questions on groups.google.com and > > the netfilter docu is quite silent about this too... > > You probably were looking at the now retired ''Patch-o-matic''; the > current patches (including for 2.6) are in Patch-o-matic-ng. That > having been said, other folks have reported on the list that > Patch-o-matic-ng and 2.6.9 don''t play nice together yet. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
Tom Eastep
2004-Nov-03  17:26 UTC
Re: Re: Maquerading through IPSECed wireless dropping packets selectively?
On Wed, 2004-11-03 at 09:19, Johannes Graumann wrote:> Tom, > > Thanks again for your patience. I grabbed 2.6.8.1 from Kernel.org and I > can apply some patches from patch-o-matic-ng to it, but not the ipsec > ones ... > This is just to raw for me and I''ll let it rest for now. Is there any > word when the IPSEC matching will be merged into the main line?Haven''t heard -- it is in some commercial distributions though (notably SuSE 9.1 updates and 9.2). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Taso Hatzi
2004-Nov-04  08:18 UTC
Re: Re: Maquerading through IPSECed wireless dropping packets selectively?
Tom Eastep wrote:> > > Haven''t heard -- it is in some commercial distributions though (notably > SuSE 9.1 updates and 9.2). >To put you on the spot, would you care to nominate a distribution or distributions that are better configured for use in routers/firewalls? I don''t want to start a holy war here.
Tom Eastep
2004-Nov-04  15:46 UTC
Re: Re: Maquerading through IPSECed wireless dropping packets selectively?
On Thu, 2004-11-04 at 00:18, Taso Hatzi wrote:> To put you on the spot, would you care to nominate a distribution > or distributions that are better configured for use in > routers/firewalls? I don''t want to start a holy war here.Nor do I so I will give you my personal preferences but they should not be interpreted as recommendations. I switched to SuSE 9.1 on my firewall because current SuSE kernels include the Netfilter-ipsec and policy match patches and I really hate to have to patch/rebuild the kernel. I like Debian because the Networking init/config scripts are so straight-forward and powerful. If I had a need for "build, install and forget" router/firewalls then I would select LEAF/Bering-uClibc installed on CF (no hard drive) and one of the ultra-small platforms like Wrap or Soekris. Note that this distro still uses the 2.4 kernel only. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key