Hi, I''m having problem on my new VPN box. Using Shorewall 3.0.5, with Strongswan and l2tpns. I can establish the vpn connection to the firewall but when I try to ping to any PC behind the firewall, I get this error: Shorewall:FORWARD:DROP:IN=tun0 OUT=eth1 SRC=192.168.1.64 DST=192.168.1.70 LEN=60 TOS=0x00 PREC=0x00 TL=127 ID=2994 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=256 Anybody has any clues? Thanks. Regards. -- _______________________________________________ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10
Robert K Coffman Jr - Info From Data
2006-Feb-15 13:46 UTC
RE: VPN problem (strongswan and l2tpns)
I didn''t have time to look at your dump file, but do you have a policy allowing your vpn zone to get to your loc (internal behind the firewall) zone? Absent that, do you have rules to allow ping to get from vpn to loc? -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Hong Guan Keh Sent: Wednesday, February 15, 2006 3:25 AM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] VPN problem (strongswan and l2tpns) Hi, I''m having problem on my new VPN box. Using Shorewall 3.0.5, with Strongswan and l2tpns. I can establish the vpn connection to the firewall but when I try to ping to any PC behind the firewall, I get this error: Shorewall:FORWARD:DROP:IN=tun0 OUT=eth1 SRC=192.168.1.64 DST=192.168.1.70 LEN=60 TOS=0x00 PREC=0x00 TL=127 ID=2994 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=256 Anybody has any clues? Thanks. Regards. -- _______________________________________________ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp ?SRC=lycos10 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 00:25, Hong Guan Keh wrote:> Hi, > > I''m having problem on my new VPN box. Using Shorewall 3.0.5, with > Strongswan and l2tpns. I can establish the vpn connection to the firewall > but when I try to ping to any PC behind the firewall, I get this error: > > Shorewall:FORWARD:DROP:IN=tun0 OUT=eth1 SRC=192.168.1.64 DST=192.168.1.70 > LEN=60 TOS=0x00 PREC=0x00 TL=127 ID=2994 PROTO=ICMP TYPE=8 CODE=0 ID=768 > SEQ=256 > > Anybody has any clues?Please see FAQ 17 -- logging out of the FORWARD chain means that either the source or the destination host is not in any of your defined zones. I also suggest that you look at http://www.shorewall.net/VPNBasics.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 06:47, Tom Eastep wrote:> On Wednesday 15 February 2006 00:25, Hong Guan Keh wrote: > > Hi, > > > > I''m having problem on my new VPN box. Using Shorewall 3.0.5, with > > Strongswan and l2tpns. I can establish the vpn connection to the firewall > > but when I try to ping to any PC behind the firewall, I get this error: > > > > Shorewall:FORWARD:DROP:IN=tun0 OUT=eth1 SRC=192.168.1.64 DST=192.168.1.70 > > LEN=60 TOS=0x00 PREC=0x00 TL=127 ID=2994 PROTO=ICMP TYPE=8 CODE=0 ID=768 > > SEQ=256 > > > > Anybody has any clues? > > Please see FAQ 17 -- logging out of the FORWARD chain means that either the > source or the destination host is not in any of your defined zones. I also > suggest that you look at http://www.shorewall.net/VPNBasics.html >Here''s another potentially useful link: http://www.shorewall.net/GenericTunnels.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
I have alrady read thru all the FAQs and tried all possible solution but still having the same problem. The only way it works is if I put all->all ACCEPT in the policy file.> ----- Original Message ----- > From: "Tom Eastep" <teastep@shorewall.net> > To: shorewall-users@lists.sourceforge.net > Subject: Re: [Shorewall-users] VPN problem (strongswan and l2tpns) > Date: Wed, 15 Feb 2006 06:55:46 -0800 > > > On Wednesday 15 February 2006 06:47, Tom Eastep wrote: > > On Wednesday 15 February 2006 00:25, Hong Guan Keh wrote: > > > Hi, > > > > > > I''m having problem on my new VPN box. Using Shorewall 3.0.5, with > > > Strongswan and l2tpns. I can establish the vpn connection to the firewall > > > but when I try to ping to any PC behind the firewall, I get this error: > > > > > > Shorewall:FORWARD:DROP:IN=tun0 OUT=eth1 SRC=192.168.1.64 DST=192.168.1.70 > > > LEN=60 TOS=0x00 PREC=0x00 TL=127 ID=2994 PROTO=ICMP TYPE=8 CODE=0 ID=768 > > > SEQ=256 > > > > > > Anybody has any clues? > > > > Please see FAQ 17 -- logging out of the FORWARD chain means that either the > > source or the destination host is not in any of your defined zones. I also > > suggest that you look at http://www.shorewall.net/VPNBasics.html > > > > Here''s another potentially useful link: > http://www.shorewall.net/GenericTunnels.html > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users>-- _______________________________________________ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Wednesday 15 February 2006 19:05, Hong Guan Keh wrote:> I have alrady read thru all the FAQs and tried all possible solutionThat''s really a silly statement.> but still having the same problem. The only way it works is if I put > all->all ACCEPT in the policy file.I suspect that traffic entering your firewall from tun0 is still encrypted (Hint: it needs to be included in an ''ipsec'' zone). I''m working 60-70 hours a week now on my real job and haven''t slept since early Tuesday so you are on your own; I have neither the time nor the energy to help you further. Good luck. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> On Wednesday 15 February 2006 19:05, Hong Guan Keh wrote: >>I have alrady read thru all the FAQs and tried all possible solution > > That''s really a silly statement. > >>but still having the same problem. The only way it works is if I put >>all->all ACCEPT in the policy file. > > I suspect that traffic entering your firewall from tun0 is still encrypted > (Hint: it needs to be included in an ''ipsec'' zone). I''m working 60-70 hours a > week now on my real job and haven''t slept since early Tuesday so you are on > your own; I have neither the time nor the energy to help you further.Hong, here''s a translation of Tom''s response: if you require all2all to make it work, then *you clearly haven''t tried* all possible solutions. Tom''s said earlier: "logging out of the FORWARD chain means that either the source or the destination host is not in any of your defined zones". You need to make sure you have comprehensively defined your zones: one of these hosts on these interfaces is not correct: IN=tun0 SRC=192.168.1.64 OUT=eth1 DST=192.168.1.70 Work out which one it is, and define it correctly in hosts or interfaces. I also suggest you define comprehensive logging policies as per http://sourceforge.net/mailarchive/message.php?msg_id=14807387 (You *will* have to modify this to suit your network, since you''re not using the vanilla 2 interface guide.) Paul ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks Paul, but I''ve found a alternative solution to my problem.> ----- Original Message ----- > From: "Paul Gear" <pgear@redlands.qld.edu.au> > To: shorewall-users@lists.sourceforge.net > Subject: [Shorewall-users] Re: VPN problem (strongswan and l2tpns) > Date: Thu, 16 Feb 2006 15:59:05 +1000 > > > Tom Eastep wrote: > > On Wednesday 15 February 2006 19:05, Hong Guan Keh wrote: > >> I have alrady read thru all the FAQs and tried all possible solution > > > > That''s really a silly statement. > > > >> but still having the same problem. The only way it works is if I > >> put all->all ACCEPT in the policy file. > > > > I suspect that traffic entering your firewall from tun0 is still > > encrypted (Hint: it needs to be included in an ''ipsec'' zone). I''m > > working 60-70 hours a week now on my real job and haven''t slept > > since early Tuesday so you are on your own; I have neither the > > time nor the energy to help you further. > > Hong, here''s a translation of Tom''s response: > > if you require all2all to make it work, then *you clearly haven''t tried* > all possible solutions. > > Tom''s said earlier: "logging out of the FORWARD chain means that either > the source or the destination host is not in any of your defined zones". > > You need to make sure you have comprehensively defined your zones: one > of these hosts on these interfaces is not correct: > IN=tun0 SRC=192.168.1.64 > OUT=eth1 DST=192.168.1.70 > Work out which one it is, and define it correctly in hosts or interfaces. > > I also suggest you define comprehensive logging policies as per > http://sourceforge.net/mailarchive/message.php?msg_id=14807387 > (You *will* have to modify this to suit your network, since you''re not > using the vanilla 2 interface guide.) > > Paul > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users>-- _______________________________________________ Search for businesses by name, location, or phone number. -Lycos Yellow Pages http://r.lycos.com/r/yp_emailfooter/http://yellowpages.lycos.com/default.asp?SRC=lycos10 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642