Shorewall users - Sep 2005 - OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2

Dear Sirs,

after implementing an openswan ipsec tunnel from firewall A to Firewall B,
to connect LAN A with LAN B, everything seems to work well. 

The tunnels were established and the routes to each one of the private
Subnets in the LAN were set, but..

If I try to ping a host on the opposite, the local (local not remote)
shorewall blocks the icmp traffic with message forward reject from (SRC)
local private IP subnet A to (DST) remote private IP subnet B.

Policy setting looks like the following.

VPN	LOC	ACCEPT
LOC	VPN 	ACCEPT

Even with AllowPing or else it doesn´t work. 

Freaky is, that if I write down policy 

ALL	ALL	ACCEPT

I am able to ping the other side through the tunnel. 

I worked with www.gentoo-wiki.com and www.gentoo.org and set up exactly like
written down there. 

What is wrong with my policy settings?

Thanks for your help.


Regards
Michael

Mit den besten Grüßen
Michael Weickel
 
__/__/__/__/__/__/__/__/__/__/__/__/__/__/__/__/__/__/__/
               __/ 
              __/     
             __/    KWS Netzwerke GmbH
            __/      Internet Services & Solutions
           __/        Hinter der Heck 2
          __/          65760 Eschborn
         __/            Tel. +49 6196 99 896-0  
        __/              Fax. +49 6196 99 896-10
       __/                eM@il. info@kws-netzwerke.de
      __/                  http://www.kws-netzwerke.de/
 
Diese E-Mail enthlt vertrauliche und/oder rechtlich geschtzte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtmlich
erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet.
 
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>If I try to ping a host on the opposite, the local (local not remote)
>shorewall blocks the icmp traffic with message forward reject from (SRC)
>local private IP subnet A to (DST) remote private IP subnet B.
>
>Policy setting looks like the following.
>
>VPN LOC ACCEPT
>LOC VPN ACCEPT
>
>Even with AllowPing or else it doesn´t work. 
>
>Freaky is, that if I write down policy 
>
>ALL ALL ACCEPT
Have you have read http://www.shorewall.net/IPSEC-2.6.html ?
If your still stumped can your post your config files please.

Jerry



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Yes, I have read the http://www.shorewall.net/IPSEC-2.6.html many times and
did it exactly like explained there. 

Remember, the tunnel works, but only with policy all all ACCEPT.

Here are the relevant config files.

..................../etc/shorewall/policy...........................

fw              loc             ACCEPT
fw              net             ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT

#net            all             DROP          info
all             all             DROP          info

..................../etc/shorewall/tunnels..........................

ipsec   net     AA.BB.CC.DD # remote IP from where I try to ping

..................../etc/shorewall/hosts............................

vpn             eth0:172.16.5.0/24,AA.BB.CC.DD ipsec

..................../etc/shorewall/zones............................

vpn                     VPN             Virtual Private Network
net                     Net             WAN
loc                     Local           LAN

....................................................................

Let´s say this configuration is established on my primary gateway (PGA) with
public IP XX.YY.ZZ.AA and private Subnet 172.16.10.0/30 behind. 

And let´s say, that the remote side is called DTAG-GATE with public IP
AA.BB.CC.DD and private subnet 172.16.5.0/24 behind.

The shorewall configuration for DTAG-GATE looks similar to the one on PGA.

I will write it down to be sure. 

..................../etc/shorewall/policy...........................

fw              loc             ACCEPT
fw              net             ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT

#net            all             DROP          info
all             all             DROP          info

..................../etc/shorewall/tunnels..........................

ipsec   net     XX.YY.ZZ.AA # remote IP from where I try to ping

..................../etc/shorewall/hosts............................

vpn             eth0:172.16.10.0/30,XX.YY.ZZ.AA ipsec

# sometimes I´ve tried
# vpn             eth0:172.16.10.252/30,XX.YY.ZZ.AA ipsec 
# it seems to be the same

..................../etc/shorewall/zones............................

vpn                     VPN             Virtual Private Network
net                     Net             WAN
loc                     Local           LAN

....................................................................

Now, if I try to ping from host 172.16.5.151 to host 172.16.10.254 or
172.16.10.253 it is blocked by the local shorewall. On both systems I have
the same versions. If I change policy settings on DTAG-GATE to 

..................../etc/shorewall/policy...........................

all		    all		   ACCEPT
fw              loc             ACCEPT
fw              net             ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT

#net            all             DROP          info
#all             all             DROP          info

..................../etc/shorewall/tunnels..........................

then I can see the icmp packet on PGA. If I set back to the standard polica
setting, it is blocked by the local shorewall with 

FIREWALL:REJECT:FROM (SRC) 172.16.5.151 (DST) 172.16.10.254 ICMP

This message is not copied from the logs but it says what the problem is.

First I thought it could have something to do with norfc1918 with the
interface file, but it doesn´t. 

Thanks for any help regarding this case. 

I think the openswan congif files will be wrong at this place and also I
think they are configured very well regarding the case that they are working
if I change the policy setting to all all ACCEPT. 


Cheers
Michael

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Jerry
Vonau
Gesendet: Mittwoch, 7. September 2005 13:20
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo
Linux 2.6.12-r9, IPsec Tools 0.5.2

>If I try to ping a host on the opposite, the local (local not remote)
>shorewall blocks the icmp traffic with message forward reject from (SRC)
>local private IP subnet A to (DST) remote private IP subnet B.
>
>Policy setting looks like the following.
>
>VPN LOC ACCEPT
>LOC VPN ACCEPT
>
>Even with AllowPing or else it doesn´t work. 
>
>Freaky is, that if I write down policy 
>
>ALL ALL ACCEPT
Have you have read http://www.shorewall.net/IPSEC-2.6.html ?
If your still stumped can your post your config files please.

Jerry



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>ipsec   net     AA.BB.CC.DD # remote IP from where I try to ping
<snip>
>
>Now, if I try to ping from host 172.16.5.151 to host 172.16.10.254 or
>172.16.10.253 it is blocked by the local shorewall. On both systems I have
>the same versions. If I change policy settings on DTAG-GATE to 
>
>..................../etc/shorewall/policy...........................
>
>all     all    ACCEPT
<snip>
>then I can see the icmp packet on PGA. If I set back to the standard polica
>setting, it is blocked by the local shorewall with 
>
>FIREWALL:REJECT:FROM (SRC) 172.16.5.151 (DST) 172.16.10.254 ICMP
Please include the whole blurb next time, the zone2zone info is important.
Is 172.16.5.151 the fw''s internel address or a host on the lan?
Can you forward the info from diagnostic step #3 from 
http://www.shorewall.net/support.html please. 

Jerry






-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

172.16.5.151 is a host from the lan. 

Please find attached the status.txt

Ive setup the connection again. Here is the complete message from shorewall

Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF
PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3

SRC=host behind DTAG-GATE
DST=Firewall LAN Interface PGA (sometimes 172.16.10.253 which is a host
behind the PGA Firewall)

Cheers
Michael

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Jerry
Vonau
Gesendet: Mittwoch, 7. September 2005 14:10
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo
Linux 2.6.12-r9, IPsec Tools 0.5.2
>ipsec   net     AA.BB.CC.DD # remote IP from where I try to ping
<snip>
>
>Now, if I try to ping from host 172.16.5.151 to host 172.16.10.254 or
>172.16.10.253 it is blocked by the local shorewall. On both systems I have
>the same versions. If I change policy settings on DTAG-GATE to 
>
>..................../etc/shorewall/policy...........................
>
>all     all    ACCEPT
<snip>
>then I can see the icmp packet on PGA. If I set back to the standard polica
>setting, it is blocked by the local shorewall with 
>
>FIREWALL:REJECT:FROM (SRC) 172.16.5.151 (DST) 172.16.10.254 ICMP
Please include the whole blurb next time, the zone2zone info is important.
Is 172.16.5.151 the fw''s internel address or a host on the lan?
Can you forward the info from diagnostic step #3 from 
http://www.shorewall.net/support.html please. 

Jerry






-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

>Ive setup the connection again. Here is the complete message from shorewall
>
>Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
>SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF
>PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3
>
>SRC=host behind DTAG-GATE
>DST=Firewall LAN Interface PGA (sometimes 172.16.10.253 which is a host
>behind the PGA Firewall)
vpn             eth0:172.16.5.0/24,AA.BB.CC.DD ipsec

That should be:

vpn             ppp0:172.16.5.0/24,AA.BB.CC.DD ipsec

Jerry



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

Shorewall gives back the following message

/etc/init.d/shorewall restart 
* Restarting firewall ...
Error: Unknown interface (ppp0) in record "vpn
ppp0:172.16.5.0/24,84.178.8.71 ipsec"
/etc/init.d/shorewall: line 26:  8142 Terminated
/sbin/shorewall restart >/dev/null  

All in all I don´t believe that this can fix the problem. The block is based
on the other firewall DTAG-GATE and not on the PGA where I tried ppp0
instead oh eth0 a few minutes ago - without success as you can see in the
above mentioned output. 

On the PGA I do not have any ppp0. I have eth0 configured as "null"
and
eth0:1 as XX.YY.ZZ.AA

What I can do is to write down ppp0:172.16.10.0/30,82.100.235.11 ipsec

on the DTAG-GATE. Then the shorewall restart works well, but I have the same
problem as before. 

Also I think there has to be eth0 with the DTAG-GATE side as configured. On
this machine eth0 is local LAN, eth1 has private IP and is used to setup
ppp0 and ppp0 has the public IP 84.178.8.71

Do you have any ideas else?

Thank you very much for your support.


Cheers
Michael                              

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Jerry
Vonau
Gesendet: Mittwoch, 7. September 2005 15:01
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo
Linux 2.6.12-r9, IPsec Tools 0.5.2

>Ive setup the connection again. Here is the complete message from shorewall
>
>Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
>SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF
>PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3
>
>SRC=host behind DTAG-GATE
>DST=Firewall LAN Interface PGA (sometimes 172.16.10.253 which is a host
>behind the PGA Firewall)
vpn             eth0:172.16.5.0/24,AA.BB.CC.DD ipsec

That should be:

vpn             ppp0:172.16.5.0/24,AA.BB.CC.DD ipsec

Jerry



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

>Shorewall gives back the following message
>
>/etc/init.d/shorewall restart 
>* Restarting firewall ...
>Error: Unknown interface (ppp0) in record "vpn
>ppp0:172.16.5.0/24,84.178.8.71 ipsec"
>/etc/init.d/shorewall: line 26:  8142 Terminated
>/sbin/shorewall restart >/dev/null  
The internet interface must be up when you start shorewall, was it?
or is this the ''other box'' that has an ethX device as the
internet interface?

The basic syntax is 
vpn             <internet
interface>:<remotelan>,<vpn_otherbox''s_ip> ipsec
>All in all I don´t believe that this can fix the problem. The block is based
>on the other firewall DTAG-GATE and not on the PGA where I tried ppp0
>instead oh eth0 a few minutes ago - without success as you can see in the
>above mentioned output. 
The configuration may not be identical, based in the internet interface.
>On the PGA I do not have any ppp0. I have eth0 configured as
"null" and
>eth0:1 as XX.YY.ZZ.AA
what?
>What I can do is to write down ppp0:172.16.10.0/30,82.100.235.11 ipsec
>
>on the DTAG-GATE. Then the shorewall restart works well, but I have the same
>problem as before. 
>
>Also I think there has to be eth0 with the DTAG-GATE side as configured. On
>this machine eth0 is local LAN, eth1 has private IP and is used to setup
>ppp0 and ppp0 has the public IP 84.178.8.71
>
>Do you have any ideas else?
Not at this time.

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

The internet interface is always up. It never comes down. 

And yes, that´s a box with eth0:1 as Internet Interface. 

I have modified my config as follows.

DTAG-GATE
========Public interface ppp0
ppp0:172.16.10.0/30,XX.YY.ZZ.AA ipsec

XX.YY.ZZ.AA=public IP of the remote VPN Box (Shorewall with OPENSWAN)

PGA
==Public interface eth0:1
eth0:172.16.5.0/24, 84.178.8.71 ipsec

I would be more happy if shorewall could take eth0:1:172.16.......
But it doesn´t like this syntax. 

My eth0 interface on PGA has IP "null". If I do a network restart,
some
shell scripts establish eth0:1, eth0:2, and so on with all my public IP
adresses. 

But I don´t think my prob has anything to do with the PGA. 

After changing from eth0 to ppp0 on DTAG-GATE I got the following back from
DTAG-GATE´s shorewall when I try pinging from 172.16.5.151 to 172.16.10.254

Sep  7 16:19:11 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
SRC=172.16.5.152 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=ICMP TYPE=8 CODE=0 ID=35380 SEQ=1

Don´t know what´s up with this shorewall or my configuration?! 

Is there anyone who can help?

Thanks in advance.


Cheers
Michael


-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Jerry
Vonau
Gesendet: Mittwoch, 7. September 2005 16:02
An: shorewall-users@lists.sourceforge.net
Betreff: Re: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo
Linux 2.6.12-r9, IPsec Tools 0.5.2


>Shorewall gives back the following message
>
>/etc/init.d/shorewall restart 
>* Restarting firewall ...
>Error: Unknown interface (ppp0) in record "vpn
>ppp0:172.16.5.0/24,84.178.8.71 ipsec"
>/etc/init.d/shorewall: line 26:  8142 Terminated
>/sbin/shorewall restart >/dev/null  
The internet interface must be up when you start shorewall, was it?
or is this the ''other box'' that has an ethX device as the
internet
interface? 

The basic syntax is 
vpn             <internet
interface>:<remotelan>,<vpn_otherbox''s_ip> ipsec
>All in all I don´t believe that this can fix the problem. The block is
based
>on the other firewall DTAG-GATE and not on the PGA where I tried ppp0
>instead oh eth0 a few minutes ago - without success as you can see in the
>above mentioned output. 
The configuration may not be identical, based in the internet interface.
>On the PGA I do not have any ppp0. I have eth0 configured as
"null" and
>eth0:1 as XX.YY.ZZ.AA
what?
>What I can do is to write down ppp0:172.16.10.0/30,82.100.235.11 ipsec
>
>on the DTAG-GATE. Then the shorewall restart works well, but I have the
same
>problem as before. 
>
>Also I think there has to be eth0 with the DTAG-GATE side as configured. On
>this machine eth0 is local LAN, eth1 has private IP and is used to setup
>ppp0 and ppp0 has the public IP 84.178.8.71
>
>Do you have any ideas else?
Not at this time.

Jerry




-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

info@kws-netzwerke.de wrote:
> 172.16.5.151 is a host from the lan.
>
> Please find attached the status.txt
>
> Ive setup the connection again. Here is the complete message from shorewall
>
> Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
> SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2 DF
> PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3
>
According the the "shorewall status" you just sent, your local network
is 172.16.5.0/24 *not 172.16.10.0/24*!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> info@kws-netzwerke.de wrote:
>>172.16.5.151 is a host from the lan.
>>
>>Please find attached the status.txt
>>
>>Ive setup the connection again. Here is the complete message from
shorewall
>>
>>Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
>>SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2
DF
>>PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3
>>
>
> According the the "shorewall status" you just sent, your local
network
> is 172.16.5.0/24 *not 172.16.10.0/24*!
>
Please disregard that rambling -- A week of vacation seems to have
muddled my mind ...

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I have both

172.16.5.0/24 local on the side A LAN and
172.16.10.0/30 local or lets say 172.16.10.252/30 local on the side B LAN.

These two subnets should get connected through the ipsec tunnel mode. 

According the IP addresses I think everything is configured fine. 


-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Mittwoch, 7. September 2005 16:31
An: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1,
Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2

info@kws-netzwerke.de wrote:
> 172.16.5.151 is a host from the lan.
>
> Please find attached the status.txt
>
> Ive setup the connection again. Here is the complete message from
shorewall
>
> Sep  7 14:31:04 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
> SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=2
DF
> PROTO=ICMP TYPE=8 CODE=0 ID=50438 SEQ=3
>
According the the "shorewall status" you just sent, your local network
is 172.16.5.0/24 *not 172.16.10.0/24*!

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

info@kws-netzwerke.de wrote:
> I have both
>
> 172.16.5.0/24 local on the side A LAN and
> 172.16.10.0/30 local or lets say 172.16.10.252/30 local on the side B LAN.
>
> These two subnets should get connected through the ipsec tunnel mode.
>
> According the IP addresses I think everything is configured fine.
What are the addresses of the tunnel endpoints?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

172.16.5.0/24 is the LAN behind a firewall with

Eth0 172.16.5.254 and
Ppp0 84.178.8.71 

172.16.10.0/30 is the LAN behind firewall with

Eth1 172.16.10.254 and
Eth0:1 82.100.235.11

Ppp0 and eth0:1 are the tunnel endpoints. 


Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Mittwoch, 7. September 2005 16:43
An: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: AW: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1,
Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2

info@kws-netzwerke.de wrote:
> I have both
>
> 172.16.5.0/24 local on the side A LAN and
> 172.16.10.0/30 local or lets say 172.16.10.252/30 local on the side B LAN.
>
> These two subnets should get connected through the ipsec tunnel mode.
>
> According the IP addresses I think everything is configured fine.
What are the addresses of the tunnel endpoints?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf

info@kws-netzwerke.de wrote:
> 172.16.5.0/24 is the LAN behind a firewall with
>
> Eth0 172.16.5.254 and
> Ppp0 84.178.8.71
>
> 172.16.10.0/30 is the LAN behind firewall with
>
> Eth1 172.16.10.254 and
> Eth0:1 82.100.235.11
>
> Ppp0 and eth0:1 are the tunnel endpoints.
>
>
Ok -- can we get another snapshot of "shorwall status" with your
current configuration? The one that I have is before you corrected
your /etc/shorewall/hosts entries for the vpn zone.

Thanks,
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Of course..

Here it is

Thanks for everything

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Mittwoch, 7. September 2005 17:07
An: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: AW: AW: [Shorewall-users] OPENSWAN Policy with Shorewall
2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2

info@kws-netzwerke.de wrote:
> 172.16.5.0/24 is the LAN behind a firewall with
>
> Eth0 172.16.5.254 and
> Ppp0 84.178.8.71
>
> 172.16.10.0/30 is the LAN behind firewall with
>
> Eth1 172.16.10.254 and
> Eth0:1 82.100.235.11
>
> Ppp0 and eth0:1 are the tunnel endpoints.
>
>
Ok -- can we get another snapshot of "shorwall status" with your
current configuration? The one that I have is before you corrected
your /etc/shorewall/hosts entries for the vpn zone.

Thanks,
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

info@kws-netzwerke.de wrote:
> Of course..
>
> Here it is
>
> Thanks for everything
>
This setup *looks* correct -- what happens now if you try to send
traffic through the tunnel?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

I start a ping from 172.16.5.151

That’s the result.

Sep  7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0
SRC=172.16.5.152 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF
PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Mittwoch, 7. September 2005 17:23
An: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: AW: AW: AW: [Shorewall-users] OPENSWAN Policy with
Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2

info@kws-netzwerke.de wrote:
> Of course..
>
> Here it is
>
> Thanks for everything
>
This setup *looks* correct -- what happens now if you try to send
traffic through the tunnel?

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing
& QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf