Hi, I''m asking my question here, because I could not find any answer to my problem, but I''m affraid shorewall is not the one to blame. First of all I''m using shorewall version 2.0.15 on two linux box. I set up an ipsec tunnel beetween those 2 boxes to be ables to connect 2 not routable subnetworks. Here is my network topology: 10.66.17.0/24 - 10.66.17.1 = eth0 ghostwheel eth1 = ip1 < Internet > ip2 = eth1 marelle eth0 = 10.66.42.1 - 10.66.42.0/24 And you have logrus with the ip 10.66.42.2. From ghostwheel, I can ping ip2 and 10.66.42.1. But when I ping 10.66.42.2, here what I see on marelle: marelle ~ $ sudo tcpdump -l -i eth1 | grep icmp tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 17:37:29.914936 IP ghostwheel.ambre.net > logrus.pillars.ambre.net: icmp 64: echo request seq 60 ad nauseum. Well, until there, all is well... But then, if I look at the other interface, not packet is transmitted. I verified all the /proc/sys variables I could think of, and mainly this one: marelle ~ $ cat /proc/sys/net/ipv4/ip_forward 1 But didn''t find anything weird. marelle knows how to contact logrus: marelle ~ $ route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 82.231.43.0 * 255.255.255.0 U 0 0 0 eth1 10.66.42.0 * 255.255.255.0 U 0 0 0 eth0 default 82.231.43.254 0.0.0.0 UG 0 0 0 eth1 Moreover, if logrus tries to ping ghostwheel, then ghostwheel sees the icmp packets, send the echo reply, but once again marelle is not routing them. What makes me thing that shorewall might not be the problem is that it does the same even with shorewall stopped. If anyone has any idea why marelle is not routing those packets... Thank you. -- Benjamin Lerman
Benjamin Lerman wrote:> > If anyone has any idea why marelle is not routing those packets... >Be sure to verify your assumption that the problem is at marelle: a) Watch the eth0 interface on marelle when pinging logrus from ghostwheel. b) Verify that you can ping logrus from marelle. c) Verify that you can ping logrus from marelle when using IP2 as the packet source. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Be sure to verify your assumption that the problem is at marelle: > > a) Watch the eth0 interface on marelle when pinging logrus from ghostwheel.Sorry not to have been clear. It is eth0 on marelle I looked.> b) Verify that you can ping logrus from marelle.I can.> c) Verify that you can ping logrus from marelle when using IP2 as the > packet source.That I didn''t try. The problem is I don''t know how to do that. -- Benjamin
Benjamin Lerman wrote:>>c) Verify that you can ping logrus from marelle when using IP2 as the >>packet source. > > > That I didn''t try. The problem is I don''t know how to do that. >You want the -I option to ping. ie: $ ping -I eth0 10.100.0.10 You can replace eth0 with an interface name or IP address. A.
Benjamin Lerman wrote:> > What makes me thing that shorewall might not be the problem is that it > does the same even with shorewall stopped. > > If anyone has any idea why marelle is not routing those packets...Is that traffic covered by an active SP on marelle? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Adam Sherman a écrit :> You want the -I option to ping.Thank you. This option is not documented in my manpage...> $ ping -I eth0 10.100.0.10 > > You can replace eth0 with an interface name or IP address.marelle ~ $ ping -I 82.231.43.194 logrus PING logrus.pillars.ambre.net (10.66.42.2): 56 data bytes 64 bytes from 10.66.42.2: icmp_seq=0 ttl=64 time=0.2 ms So no problem from there... Of course no packet are seen on the eth1 interface. -- Benjamin Lerman
> Is that traffic covered by an active SP on marelle?I''m not sure to know what you mean by SP, but if you mean ipsec tunneling rule, then yes. I want marelle to be able to access the 10.66.17.0/24 network and ghostwheel to be able to access the 10.66.42.0/24 network, as well as have the connections beetween ghostwheel and marelle to be encrypted, so I have 4 ipsec rules on each box. Is there a problem with such a configuration ? -- Benjamin Lerman
Benjamin Lerman wrote:>>Is that traffic covered by an active SP on marelle? > > > I''m not sure to know what you mean by SP, but if you mean ipsec > tunneling rule, then yes. I want marelle to be able to access the > 10.66.17.0/24 network and ghostwheel to be able to access the > 10.66.42.0/24 network, as well as have the connections beetween > ghostwheel and marelle to be encrypted, so I have 4 ipsec rules on each > box. > > Is there a problem with such a configuration ? >Eight SPD entries are required for full interconnectivity -- see http://shorewall.net/IPSEC-2.6.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Eight SPD entries are required for full interconnectivity -- see > http://shorewall.net/IPSEC-2.6.html.Sorry... I meant 4 ins and 4 outs : marelle ~ $ sudo setkey -DP 82.230.54.63[any] 10.66.42.0/24[any] any in ipsec esp/tunnel/82.230.54.63-82.231.43.194/unique#16403 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=632 seq=15 pid=10953 refcnt=1 10.66.17.0/24[any] 10.66.42.0/24[any] any in ipsec esp/tunnel/82.230.54.63-82.231.43.194/unique#16405 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=648 seq=14 pid=10953 refcnt=1 10.66.17.0/24[any] 82.231.43.194[any] any in ipsec esp/tunnel/82.230.54.63-82.231.43.194/unique#16407 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=664 seq=13 pid=10953 refcnt=1 82.230.54.63[any] 82.231.43.194[any] any in ipsec esp/transport//unique#16409 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=680 seq=12 pid=10953 refcnt=1 10.66.42.0/24[any] 82.230.54.63[any] any out ipsec esp/tunnel/82.231.43.194-82.230.54.63/unique#16402 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=625 seq=11 pid=10953 refcnt=1 10.66.42.0/24[any] 10.66.17.0/24[any] any out ipsec esp/tunnel/82.231.43.194-82.230.54.63/unique#16404 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=641 seq=10 pid=10953 refcnt=1 82.231.43.194[any] 10.66.17.0/24[any] any out ipsec esp/tunnel/82.231.43.194-82.230.54.63/unique#16406 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=657 seq=9 pid=10953 refcnt=1 82.231.43.194[any] 82.230.54.63[any] any out ipsec esp/transport//unique#16408 created: Feb 6 16:54:23 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=673 seq=8 pid=10953 refcnt=1 -- Benjamin Lerman
Benjamin Lerman wrote:>>Eight SPD entries are required for full interconnectivity -- see >>http://shorewall.net/IPSEC-2.6.html. > > > Sorry... I meant 4 ins and 4 outs : >Which kernel are you using? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> Which kernel are you using?kernel 2.6.10
Benjamin Lerman wrote:>>Which kernel are you using? > > > kernel 2.6.10FWIW, I can''t get 2.6.10 to work with IPSEC either (packet forwarding problems); I''m dropped back to 2.6.9 this morning after a frustrating debugging experience that looked a lot like yours... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
> FWIW, I can''t get 2.6.10 to work with IPSEC either (packet forwarding > problems); I''m dropped back to 2.6.9 this morning after a frustrating > debugging experience that looked a lot like yours...Ok, I have it. The problem was that for forwarding to work with kernel 2.6.10 you need : ipsec-tools >= 0.5 and debian come with 0.3.x and to add a spdadd -P fwd rule. I download ipsec-tools 0.5-rc2, installed it and modified racoon-tool (I use that to setup my ipsec tunnel) to add those rules and all worked almost perfectly. I just have a lot of errors when I start racoon, setkey complaining that the rules already exists... But nevertheless I can ping ghostwheel from logrus and logrus from ghostwheel. You might want to verify if you do not have the same problem. Thanks a lot. -- Benjamin Lerman
Benjamin Lerman wrote:> > You might want to verify if you do not have the same problem.Thanks -- I''ll upgrade my tools and check out the link you mentioned. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key