Hello! I would like to run l2tpd daemon on my firewall to enable road-warrior connection of Windows XP SP2 users to my local network. My firewall is built on: shorewall 3.2.5 Fedora Core 6 kernel 2.6.18-1.2798.fc6 iptables 1.3.5 l2tpd v. 0.69-0.6.20051030.fc6.x86_64 from Fedora Extras Even when I allow communication from net zone to fw and vice versa, I don''t see any messages when running l2tpd in debug mode (l2tpd -D) and Shorewall logs blocking udp port 1701. On my log: kernel: Shorewall:INPUT:REJECT:IN=eth1 OUTMAC=00:04:23:a6:55:dd:00:20:6f:11:8e:3d:08:00 SRC=(remote.ip) DST=(public.ip) LEN=131 TOS=0x00 PREC=0x00 TTL=120 ID=47828 PROTO=UDP SPT=1701 DPT=1701 LEN=111 Is there any body running L2TP daemon on Shorewall firewall who would be so kind to send me some configuration examples? Do I need separate zones for ipsec and l2tpd? Any help would be appreciated. my files: /etc/shorewall/zones fw firewall local ipv4 vpn1 ipsec vpn2 ipsec net ipv4 /etc/shorewall/hosts local eth0:192.168.10.0/24,192.168.20.0 vpn1 eth1:192.168.110.0/24 vpn2 eth1:192.168.120.0/24 /etc/shorewall/interfaces - eth0 192.168.10.255,192.168.20.255 - eth1 192.168.110.255,192.168.120.255 net eth1 (my isp broadcast) fw all ACCEPT local $FW ACCEPT local vpn1 ACCEPT local vpn2 ACCEPT vpn1 local ACCEPT vpn2 local ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info /etc/shorewall/rules SSH/ACCEPT local fw /etc/shorewall/tunnels ipsec net 0.0.0.0/0 local ipsecnat net 0.0.0.0/0 local generic:udp:1701 net 0.0.0.0/0 local ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ruben Moretti wrote:> Hello! > > I would like to run l2tpd daemon on my firewall to enable road-warrior > connection of Windows XP SP2 users to my local network. > My firewall is built on: > shorewall 3.2.5 > Fedora Core 6 > kernel 2.6.18-1.2798.fc6 > iptables 1.3.5 > l2tpd v. 0.69-0.6.20051030.fc6.x86_64 from Fedora Extras > > Even when I allow communication from net zone to fw and vice versa, I don''t > see any messages when running l2tpd in debug mode (l2tpd -D) and Shorewall > logs blocking udp port 1701. > > > > On my log: kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT> MAC=00:04:23:a6:55:dd:00:20:6f:11:8e:3d:08:00 SRC=(remote.ip) > DST=(public.ip) LEN=131 TOS=0x00 PREC=0x00 TTL=120 ID=47828 PROTO=UDP > SPT=1701 DPT=1701 LEN=111 > > Is there any body running L2TP daemon on Shorewall firewall who would be so > kind to send me some configuration examples? Do I need separate zones for > ipsec and l2tpd? >Hopefully, someone who gets this working will be kind enough to write an article that we can add to the web site. Until then, each person who wants to run it gets to wade through the details by themselves. Since the UDP 1701 traffic is being blocked in the INPUT chain, I suspect that policy match believes that it is encrypted. And since it is coming from the remote end-point, it doesn''t match either of your ipsec zones (they each comprise a single RFC1918 class C network). So: a) You need to have at least 1 ipsec zone that includes the remote tunnel end-points. b) You need to accept UDP 1701 fw<-> that zone. c) I suspect that you do not need the last entry in /etc/shorewall/tunnels. d) You only need the ipsecnat entry in your tunnels file if you are enabling nat traversal and the remote endpoint is behind a NAT router. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi Tom Thank for you Post. now .. /etc/shorewall/zones fw firewall local ipv4 ipsec ipsec net ipv4 /etc/shorewall/interfaces #ZONE INTERFACE BROADCAST OPTIONS local eth0 detect - eth1 - /etc/shorewall/hosts ... ipsec eth1:172.30.99.0/24 net eth1:0.0.0.0/0 /etc/shorewall/rules ... ACCEPT net ipsec udp 1701 ACCEPT ipsec fw udp 1701 ... and policy ipsec fw ACCEPT info fw ipsec ACCEPT info /etc/shorewall/tunnels ipsec net 0.0.0.0/0 ipsec ipsecnat net 0.0.0.0/0 ipsec but ... no way ... :-( Nov 13 17:54:49 linda kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:04:23:a6:55:dd:00:20:6f:11:8e:3d:08:00 SRC=89.12.162.174 DST=217.110.17.180 LEN=131 TOS=0x00 PREC=0x00 TTL=120 ID=31324 PROTO=UDP SPT=1701 DPT=1701 LEN=111 Maybe another idea :-) Thanks Ruben ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> Newsgroups: gmane.comp.security.shorewall Sent: Monday, November 13, 2006 5:19 PM Subject: Re: l2tp/ipsec with shorewall port udp 1701blocked> ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642-------------------------------------------------------------------------------->------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ruben Moretti wrote:> Hi Tom > Thank for you Post. > now .. > /etc/shorewall/zones > fw firewall > local ipv4 > ipsec ipsec > net ipv4 > > /etc/shorewall/interfaces > #ZONE INTERFACE BROADCAST OPTIONS > local eth0 detect > - eth1 - > > /etc/shorewall/hosts > ... > ipsec eth1:172.30.99.0/24 > net eth1:0.0.0.0/0 > > /etc/shorewall/rules > ... > ACCEPT net ipsec udp 1701 > ACCEPT ipsec fw udp 1701 > ... > > and policy > > ipsec fw ACCEPT info > fw ipsec ACCEPT info > > /etc/shorewall/tunnels > ipsec net 0.0.0.0/0 ipsec > ipsecnat net 0.0.0.0/0 ipsec > > > but ... no way ... :-( > > Nov 13 17:54:49 linda kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= > MAC=00:04:23:a6:55:dd:00:20:6f:11:8e:3d:08:00 SRC=89.12.162.174 > DST=217.110.17.180 LEN=131 TOS=0x00 PREC=0x00 TTL=120 ID=31324 PROTO=UDP > SPT=1701 DPT=1701 LEN=111 > > Maybe another idea :-)Look at what you posted. The answer is right in front of you! From /etc/shorewall/hosts: ipsec eth1:172.30.99.0/24 From the event: SRC=89.12.162.174 Do you really believe that 89.12.1623.174 is in 172.30.99.0/24? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Uuuppss sorry. Alcohol lacking at work is not good :-) Thanks Bye ----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.sourceforge.net> Sent: Monday, November 13, 2006 6:08 PM Subject: Re: [Shorewall-users] l2tp/ipsec with shorewall port udp 1701blocked> ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job > easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642--------------------------------------------------------------------------------> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ruben Moretti wrote:> Uuuppss sorry. > Alcohol lacking at work is not good :-) > Thanks > ByeWhich version of Shorewall are you running? If you are willing to try some pre-release code, I can point you to the SVN version of Shorewall 3.2.6 where I''ve added some additional support for l2tp. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Ruben Moretti wrote: >> Uuuppss sorry. >> Alcohol lacking at work is not good :-) >> Thanks >> Bye > > Which version of Shorewall are you running? If you are willing to try some > pre-release code, I can point you to the SVN version of Shorewall 3.2.6 where > I''ve added some additional support for l2tp.Please disregard this offer -- the code I added was brain-dead. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Ruben Moretti wrote:> Uuuppss sorry. > Alcohol lacking at work is not good :-) > ThanksIt is my understanding that the way that Microsoft''s IPSEC/L2TP works is as follows: a) First an IPSEC SA is negotiated between the endpoints. b) The client then initiates an L2TP (UDP 1701) session through the tunnel and will tunnel all of the VPN traffic through L2TP. So the only traffic to/from your remote ipsec zone will be L2TP. c) The LT2P client or server that you run on the Shorewall box will create a ppp interface. It is through that interface that the real VPN traffic flows. What does this mean with Shorewall? 1) It means that you need an ipsec zone; call it ''l2tp''. The only traffic to/from ''l2tp'' will be UDP 1701 traffic to/from the firewall itself. Suppose that your ''net'' interface is eth0. Then: /etc/shorewall/zones: ... l2tp ipsec /etc/shorewall/interfaces: net eth0 detect ... /etc/shorewall/hosts: l2tp eth0:0.0.0.0/0 /etc/shorewall/rules: ACCEPT l2tp $FW udp 1701 ACCEPT $FW l2tp udp 1701 2) You must define the ppp interface to Shorewall. Your ''vpn'' zone is assigned to that interface through an entry in /etc/shorewall/interfaces. /etc/shorewall/zones vpn ipv4 /etc/shorewall/interfaces vpn ppp+ - ... Please understand that the above is based on my understanding of how this works. I have not installed or tested any L2TP configuration and I have no plans to do so. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
On Mon, Nov 13, 2006 at 01:08:52PM -0800, Tom Eastep wrote:> Ruben Moretti wrote: > > Uuuppss sorry. > > Alcohol lacking at work is not good :-) > > Thanks > > It is my understanding that the way that Microsoft''s IPSEC/L2TP works is as follows: > > a) First an IPSEC SA is negotiated between the endpoints. > b) The client then initiates an L2TP (UDP 1701) session through the tunnel and > will tunnel all of the VPN traffic through L2TP. So the only traffic to/from > your remote ipsec zone will be L2TP. > c) The LT2P client or server that you run on the Shorewall box will create a ppp > interface. It is through that interface that the real VPN traffic flows.That''s right - I used to have one of these set up. It is ugly and a real pain to get working. Trying to configure ipsec correctly on Windows is particularly agonising. Unless you''re trying to get domain logons to work over the vpn tunnel (and frankly, this is not a good idea - Windows does not handle it very well), do yourself a favour and use openvpn instead. The firewall configuration is simpler and the client side is much less insane. As far as I can tell, it doesn''t work any better if you use a Windows box as the gateway, either. I suspect that their VPN support is only present because they wanted to say that they had it. ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642