Shorewall users - Mar 2006 - IPSEC road warrior client side NAT with shorewall

I am attempting to use ipsec-tools with shorewall 3.05 on CentOS 4.2 
with a custom 2.6.16.1 kernel to set up a VPN. I can get a successful 
connection from a remote windows workstation to racoon, but pings do not 
ever come back. My scenario is as follows:

Remote workstation (Windows XP, private IP 10.x.x.x), behind 
firewall/NAT router, with multiple public IP addresses, let''s call it 
5.1.1.1-5.1.1.9)
Home machine   (Public IP address, with NAT addresses behind it) Let''s 
call the public IP 5.2.2.2) The public IP is on eth1, and the private 
one is on eth0.

When I connect to my home machine, racoon shows a successful connection. 
Furthermore, my logs (I turned on info logging), show the following when 
I attempt to ping 192.168.1.254 from my work desktop after the tunnel is up:


Shorewall:net2fw:ACCEPT:IN=eth1 OUT= 
MAC=00:0b:6a:be:b0:6b:00:0f:db:8d:ec:76:08:00 SRC=5.1.1.1 DST=5.2.2.2 
LEN=304 TOS=0x00 PREC=0x00 TTL=116 ID=48647 PROTO=UDP SPT=57177 DPT=500 
LEN=284
Shorewall:net2fw:ACCEPT:IN=eth1 OUT= 
MAC=00:0b:6a:be:b0:6b:00:0f:db:8d:ec:76:08:00 SRC=5.1.1.2 DST=5.2.2.2 
LEN=112 TOS=0x00 PREC=0x00 TTL=116 ID=3006 PROTO=ESP SPI=0x487af84
Shorewall:net2fw:ACCEPT:IN=eth1 OUT= 
MAC=00:0b:6a:be:b0:6b:00:0f:db:8d:ec:76:08:00 SRC=5.1.1.2 DST=5.2.2.2 
LEN=112 TOS=0x00 PREC=0x00 TTL=116 ID=3774 PROTO=ESP SPI=0x487af84
Shorewall:rac2all:ACCEPT:IN=eth1 OUT=eth1 SRC=10.1.119.29 
DST=192.168.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=48653 PROTO=ICMP 
TYPE=8 CODE=0 ID=1024 SEQ=47889
Shorewall:net2fw:ACCEPT:IN=eth1 OUT= 
MAC=00:0b:6a:be:b0:6b:00:0f:db:8d:ec:76:08:00 SRC=5.1.1.2 DST=5.2.2.2 
LEN=112 TOS=0x00 PREC=0x00 TTL=116 ID=16318 PROTO=ESP SPI=0x487af84
Shorewall:rac2all:ACCEPT:IN=eth1 OUT=eth1 SRC=10.1.119.29 
DST=192.168.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=48702 PROTO=ICMP 
TYPE=8 CODE=0 ID=1024 SEQ=48145
Shorewall:net2fw:ACCEPT:IN=eth1 OUT= 
MAC=00:0b:6a:be:b0:6b:00:0f:db:8d:ec:76:08:00 SRC=5.1.1.2 DST=5.2.2.2 
LEN=112 TOS=0x00 PREC=0x00 TTL=116 ID=19902 PROTO=ESP SPI=0x487af84
Shorewall:rac2all:ACCEPT:IN=eth1 OUT=eth1 SRC=10.1.119.29 
DST=192.168.1.254 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=48716 PROTO=ICMP 
TYPE=8 CODE=0 ID=1024 SEQ=48401


Note that the IP address from the first line, which initiated the 
connection on UDP port 500 is different from the one sending ESP 
packets. I''m thinking that this may be causing the problem, but
I''m not
sure yet. OpenVPN works fine, but I think that IPSEC uses different 
techniques for authentication which is more closely tied to hostname. 
Here are some excerpts from my shorewall config files:

/etc/shorewall/tunnels
###############################################################################
#TYPE                   ZONE    GATEWAY         GATEWAY
ipsec   net     0.0.0.0/0      rac
ipsec:noah   net     0.0.0.0/0   rac
ipsecnat   net     0.0.0.0/0   rac
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/zones
#
###############################################################################
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
pri     ipv4
rac     ipsec
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/hosts
#                                      /etc/shorewall/zones file then you
#                                      do NOT need to specify the
''ipsec''
#                                      option here.
#
# For additional information, see 
http://shorewall.net/Documentation.htm#Hosts
#
###############################################################################
#ZONE   HOST(S)                                 OPTIONS
rac     eth1:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy
rac             all             ACCEPT          info
all             rac             ACCEPT          info
all             all             DROP
#LAST LINE -- DO NOT REMOVE


I''ve been reading documentation and experimenting for the past 2 weeks,
but still can''t seem to get past this.


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Wednesday 29 March 2006 04:48, Robert A. Wicks wrote:
> I am attempting to use ipsec-tools with shorewall 3.05 on CentOS 4.2
> with a custom 2.6.16.1 kernel to set up a VPN. I can get a successful
> connection from a remote windows workstation to racoon, but pings do not
> ever come back. My scenario is as follows:
>
> Remote workstation (Windows XP, private IP 10.x.x.x), behind
> firewall/NAT router, with multiple public IP addresses, let''s call
it
> 5.1.1.1-5.1.1.9)
> Home machine   (Public IP address, with NAT addresses behind it)
Let''s
> call the public IP 5.2.2.2) The public IP is on eth1, and the private
> one is on eth0.
>
> When I connect to my home machine, racoon shows a successful connection.
> Furthermore, my logs (I turned on info logging), show the following when
> I attempt to ping 192.168.1.254 from my work desktop after the tunnel is
> up:
And this works perfectly if you turn off Shorewall?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wednesday 29 March 2006 06:53, Tom Eastep wrote:
> On Wednesday 29 March 2006 04:48, Robert A. Wicks wrote:
> > I am attempting to use ipsec-tools with shorewall 3.05 on CentOS 4.2
> > with a custom 2.6.16.1 kernel to set up a VPN. I can get a successful
> > connection from a remote windows workstation to racoon, but pings do
not
> > ever come back. My scenario is as follows:
> >
> > Remote workstation (Windows XP, private IP 10.x.x.x), behind
> > firewall/NAT router, with multiple public IP addresses, let''s
call it
> > 5.1.1.1-5.1.1.9)
> > Home machine   (Public IP address, with NAT addresses behind it)
Let''s
> > call the public IP 5.2.2.2) The public IP is on eth1, and the private
> > one is on eth0.
> >
> > When I connect to my home machine, racoon shows a successful
connection.
> > Furthermore, my logs (I turned on info logging), show the following
when
> > I attempt to ping 192.168.1.254 from my work desktop after the tunnel
is
> > up:
>
> And this works perfectly if you turn off Shorewall?
>
The reason that I ask is that I seriously doubt it -- with NAT occuring on the 
client side, you need to configure NAT traversal which means that you should 
never see unencapsulated ESP packets at your home system; ESP should be 
encapsulated in UDP packets (default port is 4500 but that''s
configurable).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Tom Eastep wrote:
> On Wednesday 29 March 2006 06:53, Tom Eastep wrote:
>   
>> On Wednesday 29 March 2006 04:48, Robert A. Wicks wrote:
>>     
>>> I am attempting to use ipsec-tools with shorewall 3.05 on CentOS
4.2
>>> with a custom 2.6.16.1 kernel to set up a VPN. I can get a
successful
>>> connection from a remote windows workstation to racoon, but pings
do not
>>> ever come back. My scenario is as follows:
>>>
>>> Remote workstation (Windows XP, private IP 10.x.x.x), behind
>>> firewall/NAT router, with multiple public IP addresses,
let''s call it
>>> 5.1.1.1-5.1.1.9)
>>> Home machine   (Public IP address, with NAT addresses behind it)
Let''s
>>> call the public IP 5.2.2.2) The public IP is on eth1, and the
private
>>> one is on eth0.
>>>
>>> When I connect to my home machine, racoon shows a successful
connection.
>>> Furthermore, my logs (I turned on info logging), show the following
when
>>> I attempt to ping 192.168.1.254 from my work desktop after the
tunnel is
>>> up:
>>>       
>> And this works perfectly if you turn off Shorewall?
>>
>>     
You were correct. I was not getting pings with Shorewall disabled 
either. I upgraded to a later version of ipsec-tools than what came with 
CentOS (NAT-T is apparently broken, or not as robust, on the older 
version which came with CentOS), and got it to work. I now get pings. I 
still can''t communicate with the private IPs behind the gateway box, 
however. Am I correctly set up for receiving pings back from the private 
boxes? I turned on verbose logging and see pings being sent to target IP 
addresses, but none are returned. My shorewall files are as follows:

/etc/shorewall/tunnels
############################################################################### 

#TYPE                   ZONE    GATEWAY         GATEWAY
ipsec   net     0.0.0.0/0      rac
ipsec:noah   net     0.0.0.0/0   rac
ipsecnat   net     0.0.0.0/0   rac
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/zones
#
############################################################################### 

#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
pri     ipv4
rac     ipsec
net     ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


/etc/shorewall/hosts
#                                      /etc/shorewall/zones file then you
#                                      do NOT need to specify the
''ipsec''
#                                      option here.
#
# For additional information, see 
http://shorewall.net/Documentation.htm#Hosts
#
############################################################################### 

#ZONE   HOST(S)                                 OPTIONS
rac     eth1:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy
rac             all             ACCEPT          info
all             rac             ACCEPT          info
all             all             DROP
#LAST LINE -- DO NOT REMOVE


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

On Monday 03 April 2006 06:58, Robert A. Wicks wrote:
>
> You were correct. I was not getting pings with Shorewall disabled
> either. I upgraded to a later version of ipsec-tools than what came with
> CentOS (NAT-T is apparently broken, or not as robust, on the older
> version which came with CentOS), and got it to work. I now get pings. I
> still can''t communicate with the private IPs behind the gateway
box,
> however.
But you can with Shorewall cleared? Remember, Shorewall has nothing to do with 
enabling IPSEC communication unless there is NAT involved on the Shorewall 
end. So if it doesn''t work with Shorewall turned off, it''s not
going to
magically work when you turn Shorewall on.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Once again you pegged it. I shall remember to always disable shorewall 
for test purposes first. The reason I think shorewall may be at issue is 
that I see the policy in place for the private subnets. I get the 
message in logs that racoon does not have a policy in place for them, 
but the policy seems to go into place, because, when I ping the 
interface on the gateway machine which has the private address, I get 
responses. The problem occurs when I try to ping another machine on that 
LAN. OpenVPN, which is also set up on this box, works fine and traffic 
flows all around. My uneasiness with my understanding of how Shorewall 
routes IPSec traffic is an issue.

With OpenVPN, I have an interface, tun0, with an IP address. I interact 
with it in shorewall the same way I do any other interface. IPSec with 
2.6 and Racoon don''t provide that level of familiarity, so I keep 
thinking that I must have set something up wrong with my tunnel setup in 
shorewall, since I don''t have a masq entry for the IPSec tunnel.

Tom Eastep wrote:
> On Monday 03 April 2006 06:58, Robert A. Wicks wrote:
>
>   
>> You were correct. I was not getting pings with Shorewall disabled
>> either. I upgraded to a later version of ipsec-tools than what came
with
>> CentOS (NAT-T is apparently broken, or not as robust, on the older
>> version which came with CentOS), and got it to work. I now get pings. I
>> still can''t communicate with the private IPs behind the
gateway box,
>> however.
>>     
>
> But you can with Shorewall cleared? Remember, Shorewall has nothing to do
with
> enabling IPSEC communication unless there is NAT involved on the Shorewall 
> end. So if it doesn''t work with Shorewall turned off,
it''s not going to
> magically work when you turn Shorewall on.
>
> -Tom
>   

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Just wanted to let everyone know that I''m a moron. I was testing the 
wrong interface to get to private network. I have two interfaces on the 
gateway machine. My eth1 is attached to the same network as my DSL modem 
and is set to be the DMZ machine (IP address passthrough). I have an 
alias of eth1:1 to my private network which shares the Internet 
connection. I fiddle with my Linux box way too much for me to make my 
Internet connection all flow through it. Besides, I have other reachable 
machines which have ports forwarded to them by the DSL modem. I have an 
additional interface, eth0, which is a gigabit network to which I have 
my main Windows machine attached. Since I keep most of my big files on 
the Linux gateway, I wanted a higher speed connection to it available. I 
cannot reach the gigabit interface, but the other interface is fine. 
Since the Windows box and the Linux box are each on both networks, this 
means I can reach everything I need to right now. My current 
configuration works fine. The only real problem all along was an 
outdated ipsec-tools package. Thanks, Tom, for all the help. Shorewall 
really does make firewalling and traffic management easy, even for 
someone who isn''t a major networking geek.

Tom Eastep wrote:
> On Monday 03 April 2006 06:58, Robert A. Wicks wrote:
>
>   
>> You were correct. I was not getting pings with Shorewall disabled
>> either. I upgraded to a later version of ipsec-tools than what came
with
>> CentOS (NAT-T is apparently broken, or not as robust, on the older
>> version which came with CentOS), and got it to work. I now get pings. I
>> still can''t communicate with the private IPs behind the
gateway box,
>> however.
>>     
>
> But you can with Shorewall cleared? Remember, Shorewall has nothing to do
with
> enabling IPSEC communication unless there is NAT involved on the Shorewall 
> end. So if it doesn''t work with Shorewall turned off,
it''s not going to
> magically work when you turn Shorewall on.
>
> -Tom
>   

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642