Shorewall users - Dec 2004 - OpenVPN tun Interface

I have a zone "rw" defined as tun0 in interfaces.

 From that zone, pings to zone "loc" succeed but pings to remote 
networks (On IPsec VPNs) are rejected in the all2all chain. From my 
point of view, these pings should be in the rw2cctc chain. (rw to cctc 
is ACCEPTed in policy.)

I must have a hole in my config, where would it be?

Thanks,

A.

On Wed, 2004-12-29 at 20:27 -0500, Adam Sherman wrote:
> I have a zone "rw" defined as tun0 in interfaces.
> 
>  From that zone, pings to zone "loc" succeed but pings to remote 
> networks (On IPsec VPNs) are rejected in the all2all chain. From my 
> point of view, these pings should be in the rw2cctc chain. (rw to cctc 
> is ACCEPTed in policy.)
> 
> I must have a hole in my config, where would it be?
How can we possibly know without seeing your configuration?????????

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>I have a zone "rw" defined as tun0 in interfaces.
>>
>> From that zone, pings to zone "loc" succeed but pings to
remote
>>networks (On IPsec VPNs) are rejected in the all2all chain. From my 
>>point of view, these pings should be in the rw2cctc chain. (rw to cctc 
>>is ACCEPTed in policy.)
>>
>>I must have a hole in my config, where would it be?
> 
> How can we possibly know without seeing your configuration?????????
Heh, sorry. :-)

I''ll try to be brief...

1. I have a "rw" and a "cctc" defined in zones
2. interfaces has "rw      tun0"
3. "cctc" is defined in hosts as "cctc     eth0.2:10.100.4.0/24  
ipsec"
4. policy has "rw	cctc	ACCEPT"

Pinging from 10.100.1.22 to 10.100.4.10 causes the following log entry:

kernel: Shorewall:all2all:REJECT:IN=tun0 OUT=eth0.2 SRC=10.100.1.22 
DST=10.100.4.10 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=20397 PROTO=ICMP 
TYPE=8 CODE=0 ID=751 SEQ=504

I''m expecting this to be in a "rw2cctc" chain, and to be
allowed. I just
noticed that those packets aren''t coming back from the remote network 
due to the lack of a route, but that''s a different story.

I *can* ping 10.100.0.10 from 10.100.1.22.

If more detail is needed, please reply.

Thanks,

A.

On Wed, 2004-12-29 at 20:48 -0500, Adam Sherman wrote:
> 
> If more detail is needed, please reply.
Adam,

Please go to http://shorewall.net/support.htm and read.

I want you to read carefully so you have no doubt about what a proper
Shorewall problem report should contain. Then please provide us with ALL
of the information that applies to your problem that is described in
that support guide. Only then we can help you.

Setting up network routers/firewalls involves lots of details and if you
get the details wrong then it doesn''t work. You can''t really
paraphrase
your problem for us and hope to get anywhere because you don''t
understand yourself why your system isn''t working. Thus, you
can''t
accurately paraphrase the problem and be confident that you have
included information that is even remotely relevant to the root problem.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2004-12-29 at 18:10 -0800, Tom Eastep wrote:
> Setting up network routers/firewalls involves lots of details and if you
> get the details wrong then it doesn''t work. You can''t
really paraphrase
> your problem for us and hope to get anywhere because you don''t
> understand yourself why your system isn''t working. Thus, you
can''t
> accurately paraphrase the problem and be confident that you have
> included information that is even remotely relevant to the root problem.
Given that ''ipsec'' appears in the OPTIONS in your hosts file
entry, it
also appears that you are running Shorewall 2.1.x or 2.2.0 Beta/RC.
Hence, there is the distinct possibility that you are seeing a bug in
Shorewall itself but you haven''t even told us which version of
Shorewall
that you are running -- think that might just possibly be relevant? :-)

-Tom 
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> Please go to http://shorewall.net/support.htm and read.
A very wise idea.

- Shorewall 2.2.0-Beta7

ip link show:

1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
     link/ether 00:d0:b7:5d:09:06 brd ff:ff:ff:ff:ff:ff
     inet 10.100.0.1/24 brd 10.255.255.255 scope global eth0
     inet6 fe80::2d0:b7ff:fe5d:906/64 scope link
        valid_lft forever preferred_lft forever
3: eth0.2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq
     link/ether 00:d0:b7:5d:09:06 brd ff:ff:ff:ff:ff:ff
     inet 66.46.199.130/25 brd 66.255.255.255 scope global eth0.2
     inet6 fe80::2d0:b7ff:fe5d:906/64 scope link
        valid_lft forever preferred_lft forever
4: sit0: <NOARP> mtu 1480 qdisc noop
     link/sit 0.0.0.0 brd 0.0.0.0
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
     link/[65534]
     inet 10.100.1.1 peer 10.100.1.2/32 scope global tun0

ip route show:

66.46.199.192 dev eth0  scope link
66.46.199.193 dev eth0  scope link
66.46.199.194 dev eth0  scope link
66.46.199.195 dev eth0  scope link
66.46.199.196 dev eth0  scope link
66.46.199.197 dev eth0  scope link
66.46.199.198 dev eth0  scope link
66.46.199.199 dev eth0  scope link
66.46.199.200 dev eth0  scope link
66.46.199.201 dev eth0  scope link
66.46.199.146 dev eth0  scope link
66.46.199.147 dev eth0  scope link
66.46.199.144 dev eth0  scope link
66.46.199.145 dev eth0  scope link
66.46.199.150 dev eth0  scope link
66.46.199.151 dev eth0  scope link
66.46.199.148 dev eth0  scope link
66.46.199.149 dev eth0  scope link
66.46.199.154 dev eth0  scope link
66.46.199.155 dev eth0  scope link
66.46.199.152 dev eth0  scope link
66.46.199.153 dev eth0  scope link
66.46.199.158 dev eth0  scope link
66.46.199.159 dev eth0  scope link
66.46.199.156 dev eth0  scope link
66.46.199.157 dev eth0  scope link
66.46.199.131 dev eth0  scope link
66.46.199.134 dev eth0  scope link
66.46.199.135 dev eth0  scope link
66.46.199.132 dev eth0  scope link
66.46.199.133 dev eth0  scope link
66.46.199.138 dev eth0  scope link
66.46.199.139 dev eth0  scope link
66.46.199.136 dev eth0  scope link
66.46.199.137 dev eth0  scope link
66.46.199.142 dev eth0  scope link
66.46.199.143 dev eth0  scope link
66.46.199.140 dev eth0  scope link
66.46.199.141 dev eth0  scope link
66.46.199.179 dev eth0  scope link
66.46.199.178 dev eth0  scope link
10.100.1.2 dev tun0  proto kernel  scope link  src 10.100.1.1
66.46.199.177 dev eth0  scope link
66.46.199.176 dev eth0  scope link
66.46.199.183 dev eth0  scope link
66.46.199.182 dev eth0  scope link
66.46.199.181 dev eth0  scope link
66.46.199.180 dev eth0  scope link
66.46.199.187 dev eth0  scope link
66.46.199.186 dev eth0  scope link
66.46.199.185 dev eth0  scope link
66.46.199.184 dev eth0  scope link
66.46.199.191 dev eth0  scope link
66.46.199.190 dev eth0  scope link
66.46.199.189 dev eth0  scope link
66.46.199.188 dev eth0  scope link
66.46.199.163 dev eth0  scope link
66.46.199.162 dev eth0  scope link
66.46.199.161 dev eth0  scope link
66.46.199.160 dev eth0  scope link
66.46.199.167 dev eth0  scope link
66.46.199.166 dev eth0  scope link
66.46.199.165 dev eth0  scope link
66.46.199.164 dev eth0  scope link
66.46.199.171 dev eth0  scope link
66.46.199.170 dev eth0  scope link
66.46.199.169 dev eth0  scope link
66.46.199.168 dev eth0  scope link
66.46.199.175 dev eth0  scope link
66.46.199.174 dev eth0  scope link
66.46.199.173 dev eth0  scope link
66.46.199.172 dev eth0  scope link
10.100.16.32/28 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.16.48/28 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.16.0/28 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.16.16/28 via 66.46.199.129 dev eth0.2  src 10.100.0.1
66.46.199.128/25 dev eth0.2  proto kernel  scope link  src 66.46.199.130
10.100.12.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.14.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.25.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.101.0.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.101.2.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.10.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.4.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.7.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.6.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.1.0/24 via 10.100.1.2 dev tun0
10.100.0.0/24 dev eth0  proto kernel  scope link  src 10.100.0.1
10.100.3.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
10.100.2.0/24 via 66.46.199.129 dev eth0.2  src 10.100.0.1
default via 66.46.199.129 dev eth0.2

Status output attached.

Ping response:

PING 10.100.4.10 (10.100.4.10): 56 data bytes

--- 10.100.4.10 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

This log entry is the issue:

Dec 29 21:30:40 all2all:REJECT:IN=tun0 OUT=eth0.2 SRC=10.100.1.22 
DST=10.100.4.10 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=24780 PROTO=ICMP 
TYPE=8 CODE=0 ID=790 SEQ=2

I will attach more configuration files if necessary, just ask.

Thank you for your patience, it is much appreciated!

A.


To restate the issue, I''m pinging from 10.100.1.22 to 10.100.4.10, 
without success.

On Wed, 2004-12-29 at 21:32 -0500, Adam Sherman wrote:
> This log entry is the issue:
> 
> Dec 29 21:30:40 all2all:REJECT:IN=tun0 OUT=eth0.2 SRC=10.100.1.22 
> DST=10.100.4.10 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=24780 PROTO=ICMP 
> TYPE=8 CODE=0 ID=790 SEQ=2
> 
> I will attach more configuration files if necessary, just ask.
> 
> Thank you for your patience, it is much appreciated!
What is the output of "setkey -DP"?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>Thank you for your patience, it is much appreciated!
> 
> What is the output of "setkey -DP"?
10.100.12.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/66.201.248.209-66.46.199.130/unique#16443
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4040 seq=37 pid=8040
         refcnt=1
10.100.16.16/28[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.79-66.46.199.130/unique#16445
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4056 seq=36 pid=8040
         refcnt=1
10.100.16.48/28[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.78-66.46.199.130/unique#16447
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4072 seq=35 pid=8040
         refcnt=1
10.100.4.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/216.18.124.249-66.46.199.130/unique#16449
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4088 seq=34 pid=8040
         refcnt=1
10.100.16.32/28[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.77-66.46.199.130/unique#16451
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4104 seq=33 pid=8040
         refcnt=1
10.100.25.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/67.162.16.235-66.46.199.130/unique#16455
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4136 seq=32 pid=8040
         refcnt=1
10.101.2.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.119-66.46.199.130/unique#16457
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4152 seq=31 pid=8040
         refcnt=1
10.100.16.0/28[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.76-66.46.199.130/unique#16459
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4168 seq=30 pid=8040
         refcnt=1
10.100.3.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/64.119.101.186-66.46.199.130/unique#16461
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4184 seq=29 pid=8040
         refcnt=1
10.100.14.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/207.164.197.80-66.46.199.130/unique#16463
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4200 seq=28 pid=8040
         refcnt=1
10.100.2.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/206.253.19.114-66.46.199.130/unique#16465
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4216 seq=27 pid=8040
         refcnt=1
10.100.10.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/66.201.199.153-66.46.199.130/unique#16467
         created: Dec 29 16:28:48 2004  lastused: Dec 29 16:35:15 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4232 seq=26 pid=8040
         refcnt=1
10.100.7.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/216.191.233.126-66.46.199.130/unique#16469
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4248 seq=25 pid=8040
         refcnt=1
10.100.6.0/24[any] 10.100.0.0/24[any] any
         in ipsec
         esp/tunnel/72.1.215.33-66.46.199.130/unique#16471
         created: Dec 29 16:28:48 2004  lastused: Dec 29 16:35:11 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4264 seq=24 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.12.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-66.201.248.209/unique#16442
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:35:30 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4033 seq=23 pid=8040
         refcnt=2
10.100.0.0/24[any] 10.100.16.16/28[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.79/unique#16444
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4049 seq=22 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.16.48/28[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.78/unique#16446
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4065 seq=21 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.4.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-216.18.124.249/unique#16448
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:43 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4081 seq=20 pid=8040
         refcnt=5
10.100.0.0/24[any] 10.100.16.32/28[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.77/unique#16450
         created: Dec 29 16:28:48 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4097 seq=19 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.25.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-67.162.16.235/unique#16454
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:25 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4129 seq=18 pid=8040
         refcnt=4
10.100.0.0/24[any] 10.101.2.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.119/unique#16456
         created: Dec 29 16:28:48 2004  lastused: Dec 29 16:35:04 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4145 seq=17 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.16.0/28[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.76/unique#16458
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:35 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4161 seq=16 pid=8040
         refcnt=2
10.100.0.0/24[any] 10.100.3.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-64.119.101.186/unique#16460
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:29:21 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4177 seq=15 pid=8040
         refcnt=1
10.100.0.0/24[any] 10.100.14.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-207.164.197.80/unique#16462
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:38:02 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4193 seq=14 pid=8040
         refcnt=3
10.100.0.0/24[any] 10.100.2.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-206.253.19.114/unique#16464
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:47 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4209 seq=13 pid=8040
         refcnt=4
10.100.0.0/24[any] 10.100.10.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-66.201.199.153/unique#16466
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:06 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4225 seq=12 pid=8040
         refcnt=3
10.100.0.0/24[any] 10.100.7.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-216.191.233.126/unique#16468
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:35:30 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4241 seq=11 pid=8040
         refcnt=2
10.100.0.0/24[any] 10.100.6.0/24[any] any
         out ipsec
         esp/tunnel/66.46.199.130-72.1.215.33/unique#16470
         created: Dec 29 16:28:48 2004  lastused: Dec 29 21:40:37 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4257 seq=10 pid=8040
         refcnt=3
0.0.0.0/0[any] 0.0.0.0/0[any] any
         in none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4819 seq=9 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         in none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4803 seq=8 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         in none
         created: Dec 29 17:06:02 2004  lastused: Dec 29 21:40:13 2004
         lifetime: 0(s) validtime: 0(s)
         spid=4787 seq=7 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         in none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4771 seq=6 pid=8040
         refcnt=1
::/0[any] ::/0[any] any
         in none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4755 seq=5 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         out none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4828 seq=4 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         out none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4812 seq=3 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         out none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4796 seq=2 pid=8040
         refcnt=1
0.0.0.0/0[any] 0.0.0.0/0[any] any
         out none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4780 seq=1 pid=8040
         refcnt=1
::/0[any] ::/0[any] any
         out none
         created: Dec 29 17:06:02 2004  lastused:
         lifetime: 0(s) validtime: 0(s)
         spid=4764 seq=0 pid=8040
         refcnt=1

Appologies in advance for causing my own problems. I built this entire 
setup over the past 2 days with nowhere near enough planning. Living on 
the wild side, I guess. :-)

Thanks,

A.

On Wed, 2004-12-29 at 21:42 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>Thank you for your patience, it is much appreciated!
> > 
> > What is the output of "setkey -DP"?
> 
> 
> Appologies in advance for causing my own problems. I built this entire 
> setup over the past 2 days with nowhere near enough planning. Living on 
> the wild side, I guess. :-)
I don''t see any SPD entry that would encrypt the traffic you are
concerned about; do you???

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>>What is the output of "setkey -DP"?
>>
>>Appologies in advance for causing my own problems. I built this entire 
>>setup over the past 2 days with nowhere near enough planning. Living on 
>>the wild side, I guess. :-)
> 
> I don''t see any SPD entry that would encrypt the traffic you are
> concerned about; do you???
Uh oh, you may have discovered a flaw in my understanding of IPsec SPD. 
In order for traffic from remote network A to remote network B to flow, 
an explicit SPD entry is required? (I thought that it was terminated at 
the router, then sent back out. Something like A->GW GW->B. So I thought 
my two SPD entries would cover it.

Maybe I should have an entry like 10.100.0.0/16 -> network A, etc?
I''ll
look into this.

Thanks again,

A.

On Wed, 2004-12-29 at 21:53 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>>What is the output of "setkey -DP"?
> >>
> >>Appologies in advance for causing my own problems. I built this
entire
> >>setup over the past 2 days with nowhere near enough planning.
Living on
> >>the wild side, I guess. :-)
> > 
> > I don''t see any SPD entry that would encrypt the traffic you
are
> > concerned about; do you???
> 
> Uh oh, you may have discovered a flaw in my understanding of IPsec SPD. 
> In order for traffic from remote network A to remote network B to flow, 
> an explicit SPD entry is required? (I thought that it was terminated at 
> the router, then sent back out. Something like A->GW GW->B. So I
thought
> my two SPD entries would cover it.
No.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2004-12-29 at 21:53 -0500, Adam Sherman wrote:
> 
> Maybe I should have an entry like 10.100.0.0/16 -> network A, etc?
I''ll
Why don''t you just have:

0.0.0.0/0 -> network A; and
network A -> 0.0.0.0/0?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>>I don''t see any SPD entry that would encrypt the traffic
you are
>>>concerned about; do you???
>>
>>Uh oh, you may have discovered a flaw in my understanding of IPsec SPD. 
>>In order for traffic from remote network A to remote network B to flow, 
>>an explicit SPD entry is required? (I thought that it was terminated at 
>>the router, then sent back out. Something like A->GW GW->B. So I
thought
>>my two SPD entries would cover it.
> 
> No.
This means that there must be an SPD for every single possible 
combination of networks in a "hub & spoke" style IPsec network?

Thanks,

A.

Tom Eastep wrote:
>>Maybe I should have an entry like 10.100.0.0/16 -> network A, etc?
I''ll
> 
> Why don''t you just have:
> 
> 0.0.0.0/0 -> network A; and
> network A -> 0.0.0.0/0?
This works when some networks may be connected using a non-IPsec VPN 
protocol (OpenVPN)? I guess I''m really not clear on this.

Thanks,

A.

On Wed, 2004-12-29 at 22:09 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>>I don''t see any SPD entry that would encrypt the
traffic you are
> >>>concerned about; do you???
> >>
> >>Uh oh, you may have discovered a flaw in my understanding of IPsec
SPD.
> >>In order for traffic from remote network A to remote network B to
flow,
> >>an explicit SPD entry is required? (I thought that it was
terminated at
> >>the router, then sent back out. Something like A->GW GW->B.
So I thought
> >>my two SPD entries would cover it.
> > 
> > No.
> 
> This means that there must be an SPD for every single possible 
> combination of networks in a "hub & spoke" style IPsec
network?
> 
There needs to be a pair of SPD entries for each secure remote network:

0.0.0.0/0 -> remote network
remote network -> 0.0.0.0/0

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wed, 2004-12-29 at 22:13 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>Maybe I should have an entry like 10.100.0.0/16 -> network A,
etc? I''ll
> > 
> > Why don''t you just have:
> > 
> > 0.0.0.0/0 -> network A; and
> > network A -> 0.0.0.0/0?
> 
> This works when some networks may be connected using a non-IPsec VPN 
> protocol (OpenVPN)? I guess I''m really not clear on this.
You want the above for each network ''A'' that is to use IPSEC
for
encryption.

By corollary, you do NOT want the above for any network ''A''
that uses
OpenVPN (or no encryption).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
>>>Why don''t you just have:
>>>
>>>0.0.0.0/0 -> network A; and
>>>network A -> 0.0.0.0/0?
>>
>>This works when some networks may be connected using a non-IPsec VPN 
>>protocol (OpenVPN)? I guess I''m really not clear on this.
> 
> You want the above for each network ''A'' that is to use
IPSEC for
> encryption.
> 
> By corollary, you do NOT want the above for any network
''A'' that uses
> OpenVPN (or no encryption).
Ah, I see. If I have two remote networks: A via IPsec and B via OpenVPN, 
will having an SPD of "network A -> 0.0.0.0/0" prevent traffic from
A to B?

A.

On Wed, 2004-12-29 at 22:30 -0500, Adam Sherman wrote:
> Tom Eastep wrote:
> >>>Why don''t you just have:
> >>>
> >>>0.0.0.0/0 -> network A; and
> >>>network A -> 0.0.0.0/0?
> >>
> >>This works when some networks may be connected using a non-IPsec
VPN
> >>protocol (OpenVPN)? I guess I''m really not clear on this.
> > 
> > You want the above for each network ''A'' that is to
use IPSEC for
> > encryption.
> > 
> > By corollary, you do NOT want the above for any network
''A'' that uses
> > OpenVPN (or no encryption).
> 
> Ah, I see. If I have two remote networks: A via IPsec and B via OpenVPN, 
> will having an SPD of "network A -> 0.0.0.0/0" prevent traffic
from A to B?
NO!!!!!!!!!!!!!!!!!!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Thank you very much for your patience and technical knowledge this 
evening. I''m am grateful. I hope not to have many more small issues.

Cheers,

A.

On Wed, 2004-12-29 at 22:49 -0500, Adam Sherman wrote:
> Thank you very much for your patience and technical knowledge this 
> evening. I''m am grateful. I hope not to have many more small
issues.
As a final note:

a) With tunnel mode, the SPD entry names the end-points of the tunnel.
b) At the "Hub", one end of the tunnel is always local.

Hence, SPD entries at the hub ALWAYS REFER TO TRAFFIC TO/FROM THE HUB
depending on whether the direction in the SPD is "in" or
"out".

Hope that helps,

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key