Hi all, I am really struggling with this one, I have built a lot of linux machines using IPSEC tunnels and shorewall gateways. I decied to build a new test machine with Debian running 2.4.25 and Shorewall 2.0.15. I have two subnets on their own switches and seperate Internet IPs. The tunnel sets up just fine and I can connect from Lan A to Lan B with no problems. Initiating a connecting from LanB to LanA does not work though, it looks like the sorce address of the private box in LanB is being natted to the public IP it should use for Internet access. The internet access, port forwarding rules and everything else works fine it''s just the IPSEC tunnels traffic. I tried modifying the setting in Shorewall conf that sets nat before or after the rules, that didn''t make a difference. I have been throught the docs an run a lot of tests and I have not found anything like it on Google either. I just requested to join the list but have not recieved the opt in mail yet so if you could also copy my address on any ideas that would be great. The traffic is allowed through the firewall and properly directed through the ipsec0 interface. Feb 1 20:54:41 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8107 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5063 Feb 1 20:54:46 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8112 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5319 Feb 1 20:54:51 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8118 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5575 A tcpdump listening on the ipsec0 interface shows traffic leaving with the natted address not the private address so ipsec correctly drops them at the other end. 21:01:08.774548 192.168.60.6.3389 > 192.168.59.10.1841: P 1205792193:1205792207(14) ack 4142984845 win 16242 (DF) 21:01:12.330353 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:17.337785 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:22.345273 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:27.352776 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request How do I tell iptables/Shorewall not to nat traffic destined for this, or any other subnet reachable by ipsec tunnels? Thanks in advance, this one has been quite a chore, I have tried two different firewall scripts with no success, I am starting to suspect my kernel. I also attached the system dump. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.836 / Virus Database: 569 - Release Date: 1/19/2005
I just got the list confirmation and noticed it''s text only email so here it is again in plain text. Below is the oringal message. Hi all, I am really struggling with this one, I have built a lot of linux machines using IPSEC tunnels and shorewall gateways. I decied to build a new test machine with Debian running 2.4.25 and Shorewall 2.0.15. I have two subnets on their own switches and seperate Internet IPs. The tunnel sets up just fine and I can connect from Lan A to Lan B with no problems. Initiating a connecting from LanB to LanA does not work though, it looks like the sorce address of the private box in LanB is being natted to the public IP it should use for Internet access. The internet access, port forwarding rules and everything else works fine it''s just the IPSEC tunnels traffic. I tried modifying the setting in Shorewall conf that sets nat before or after the rules, that didn''t make a difference. I have been throught the docs an run a lot of tests and I have not found anything like it on Google either. I just requested to join the list but have not recieved the opt in mail yet so if you could also copy my address on any ideas that would be great. The traffic is allowed through the firewall and properly directed through the ipsec0 interface. Feb 1 20:54:41 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8107 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5063 Feb 1 20:54:46 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8112 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5319 Feb 1 20:54:51 marge kernel: Shorewall:lan2gw:ACCEPT:IN=eth1 OUT=ipsec0 SRC=192.168.60.6 DST=192.168.59.9 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=8118 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=5575 A tcpdump listening on the ipsec0 interface shows traffic leaving with the natted address not the private address so ipsec correctly drops them at the other end. 21:01:08.774548 192.168.60.6.3389 > 192.168.59.10.1841: P 1205792193:1205792207(14) ack 4142984845 win 16242 (DF) 21:01:12.330353 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:17.337785 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:22.345273 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request 21:01:27.352776 s142-179-156-47.ab.hsia.telus.net > 192.168.59.9: icmp: echo request How do I tell iptables/Shorewall not to nat traffic destined for this, or any other subnet reachable by ipsec tunnels? Thanks in advance, this one has been quite a chore, I have tried two different firewall scripts with no success, I am starting to suspect my kernel. I also attached the system dump. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.836 / Virus Database: 569 - Release Date: 1/20/2005
dleece wrote:> > Thanks in advance, this one has been quite a chore, I have tried two > different firewall scripts with no success, I am starting to suspect > my kernel. I also attached the system dump.I certainly would (suspect the kernel) -- are you sure that this kernel hasn''t been patched with the native IPSEC back-port? -Tom PS -- please post in plain text and configure your mailer to fold lines at an appropriate length. Each of your paragraphs is one long line! -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> dleece wrote: > > >>Thanks in advance, this one has been quite a chore, I have tried two >>different firewall scripts with no success, I am starting to suspect >>my kernel. I also attached the system dump. > > > I certainly would (suspect the kernel) -- are you sure that this kernel > hasn''t been patched with the native IPSEC back-port? >Oh -- and by the way; you are using the wrong rfc1918 file for Shorewall 2.0.15. The file for 2.0.15 should have only the three RFC 1918 networks in it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hello Tom, Thanks for the leads here, it turned out not to be the kernel after all. I guess the IPSEC back port is not in Debian 2.4.18, and even a brand new machine build was doing the same thing. I tested the connection with another destination and the natting worked fine so I went back to the network physical setup. The IPSEC hosts were on the same uplink switch to the DSL modem so I bought another switch to isolate the troublesome connection and it works just fine now. The other statement about the wrong rfc1918 file concerns me, this was a brand new build and I simple ran the install.sh script, I don''t know how that file would have got in there. If I just remove the /etc/shorewall directory and re-run install.sh should that clean things up? Thanks again, Doug Leece ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Wednesday, February 02, 2005 9:12 AM Subject: Re: [Shorewall-users] NAT troubles with IPSEC traffic> Tom Eastep wrote: > > dleece wrote: > > > > > >>Thanks in advance, this one has been quite a chore, I have tried two > >>different firewall scripts with no success, I am starting to suspect > >>my kernel. I also attached the system dump. > > > > > > I certainly would (suspect the kernel) -- are you sure that this kernel > > hasn''t been patched with the native IPSEC back-port? > > > > Oh -- and by the way; you are using the wrong rfc1918 file for Shorewall > 2.0.15. The file for 2.0.15 should have only the three RFC 1918 networks > in it. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.836 / Virus Database: 569 - Release Date: 1/22/2005
dleece wrote:> > The other statement about the wrong rfc1918 file concerns me, this was a > brand new build and I simple ran the install.sh script, I don''t know how > that file would have got in there. If I just remove the /etc/shorewall > directory and re-run install.sh should that clean things up?Why don''t you just grab the rfc1918 file from CVS (STABLE/ thread)? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Done, Thanks Doug Leece ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Mailing List for Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Friday, February 04, 2005 7:45 PM Subject: Re: [Shorewall-users] NAT troubles with IPSEC traffic resolution> dleece wrote: > > > > > The other statement about the wrong rfc1918 file concerns me, this was a > > brand new build and I simple ran the install.sh script, I don''t know how > > that file would have got in there. If I just remove the /etc/shorewall > > directory and re-run install.sh should that clean things up? > > Why don''t you just grab the rfc1918 file from CVS (STABLE/ thread)? > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe:https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >--- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.836 / Virus Database: 569 - Release Date: 1/22/2005
Maybe Matching Threads
- $100 USD to the first person that can provide the rules/scripts that will solve the QOS latency & bandwidth allocation issue !!!!
- win98 browsing problem across VPN subnets
- MULTIPLE IPSEC TUNNELS
- IPSec tunnel mode, through a IPIP tunnel
- [Fwd: Building custom _updown script for freeswan to make it talk with shorewall]