Running subnet to subnet ipsec vpn links using the 2.6 kernels ipsec code. In this test case using 2.6.12.3 kernel. If I ping a site via the vpn get this error: ping -s 1400 fondy PING fondy (192.168.2.1) 1400(1428) bytes of data. From fw (192.168.101.254) icmp_seq=1 Frag needed and DF set (mtu = 1426) Get error if the -s parameter is between 1399 and 1472 inclusive. Larger values work. Also of interest if I ping to a remote vpn site from the firewall it''s OK. The reason I''m posting here and not on openswan is when stop shorewall it works fine. Attached is a dump of shorewall status. Hope that has enough information. Any Ideas? Thanks John
Please get rid of your /etc/shorewall/rfc1918 file -- I surprised that anything works for you, given that your firewall''s external IP address appears to be blocked by a stale rfc1918 file and ''norfc1918''. Ref: Your status Aug 18 10:01:23 rfc1918:DROP:IN=eth1 OUT= SRC=67.52.215.155 DST=72.129.141.195 LEN=224 TOS=0x04 PREC=0x00 TTL=60 ID=2111 DF PROTO=UDP SPT=500 DPT=500 LEN=204> > Attached is a dump of shorewall status. Hope that has enough information. > > Any Ideas? >Rather than using Shorewall''s Kernel 2.6 ipsec support, you have hacked together your own solution using fwmarks. You''re largely on your own... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
John McMonagle wrote:> Any Ideas?Please disregard my comments about your rfc1918 file in my prior post -- I see that those messages were logged will before the last "shorewall restart". -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
John McMonagle wrote:> > The reason I''m posting here and not on openswan is when stop shorewall > it works fine. >Can you clarify exactly the circumstances under which you don''t see the problem? Does a simple "shorewall stop" or "shorewall clear" correct it or do you have to boot up your firewall without starting Shorewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Shorewall stop makes it work. reboot in not required. If pinging and then do a shorewall start it will work for a while. Tom Eastep wrote:>John McMonagle wrote: > > > >>The reason I''m posting here and not on openswan is when stop shorewall >>it works fine. >> >> >> > >Can you clarify exactly the circumstances under which you don''t see the >problem? Does a simple "shorewall stop" or "shorewall clear" correct it >or do you have to boot up your firewall without starting Shorewall? > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:>Rather than using Shorewall''s Kernel 2.6 ipsec support, you have hacked >together your own solution using fwmarks. You''re largely on your own... > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > >I didn''t think shorewall would handle a 2.6 kernel ipsec tunnel. If it does I''ll look into that. At some point thinking of doing gre tunnels through ipsec but one problem at a time :) John ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
John McMonagle wrote:> Shorewall stop makes it work. >Then what do you have in your /etc/shorewall/routestopped file? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> John McMonagle wrote: >>Shorewall stop makes it work. >> > > Then what do you have in your /etc/shorewall/routestopped file?And are you running Mandrake with the Mandrake-supplied version of Shorewall? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:>John McMonagle wrote: > > > >>The reason I''m posting here and not on openswan is when stop shorewall >>it works fine. >> >> >> > >Can you clarify exactly the circumstances under which you don''t see the >problem? Does a simple "shorewall stop" or "shorewall clear" correct it >or do you have to boot up your firewall without starting Shorewall? > >-Tom > >Tom Not really understanding the cause am trying random guesses ;-) Just kept trying rules to accept icmp in every main chain. The following makes it work: iptables -t mangle -I PREROUTING -p icmp -j ACCEPT if I restart shorewall it continues to work for a few minutes probably because of state full stuff. When I put in the rule above it works again. Maybe gives you an Idea whats happening? Should at least make the rule a bit more specific. John ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:>John McMonagle wrote: > > >>Shorewall stop makes it work. >> >> >> > >Then what do you have in your /etc/shorewall/routestopped file? > >#INTERFACE HOST(S) eth0 - eth1 - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep wrote:>Tom Eastep wrote: > > >>John McMonagle wrote: >> >> >>>Shorewall stop makes it work. >>> >>> >>> >>Then what do you have in your /etc/shorewall/routestopped file? >> >> > >And are you running Mandrake with the Mandrake-supplied version of Shorewall? > >No Debian sarge ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
John McMonagle wrote:> Running subnet to subnet ipsec vpn links using the 2.6 kernels ipsec code. > In this test case using 2.6.12.3 kernel. > > If I ping a site via the vpn get this error: > ping -s 1400 fondy > PING fondy (192.168.2.1) 1400(1428) bytes of data. > From fw (192.168.101.254) icmp_seq=1 Frag needed and DF set (mtu = 1426) > > Get error if the -s parameter is between 1399 and 1472 inclusive. > Larger values work. > > Also of interest if I ping to a remote vpn site from the firewall it''s OK. > > The reason I''m posting here and not on openswan is when stop shorewall > it works fine. > > Attached is a dump of shorewall status. Hope that has enough information. > > Any Ideas? >No. I''m seeing similar (but not identical) behavior but I''ve found nothing that will allow the large ping packets to go through the tunnel. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key