Shorewall users - Apr 2007 - IPSec Passthrough fails when using Cisco VPN client

I have Shorewall running as an office gateway performing NAT for local clients
to access Internet.  There is a policy allowing full access from loc -> net.

Problem arrises when trying to connect a Cisco VPN client to a VPN server on the
Internet from a local workstation.

The cisco client log shows:

Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

If I bypass the Linux Shorewall gateway the connection works perfectly.  This is
the only type of connection to the Internet that seems to have any problems -
www, https, ftp, MSN etc all connect no problem.

I have tried to remove shorewall from the equation by doing the following with
no luck.
sudo shorewall clear
sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j MASQUERADE

I have searched high and low but have not been able to find anything that will
help with this problem.  Has anyone else had a similar experience?  Can anyone
point me in the right direction as this problem is completely beyond my
knowledge and experience.

Attached is the status.txt file as created by shorewall dump.  For this example
I attempted to connect between 192.168.118.118 and 203.110.142.69.  If I have
missed anything or you need further information please let me know.

Thankyou in advance,
Peter




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Peter Wilson wrote:
> I have Shorewall running as an office gateway performing NAT for local
clients to access Internet.
> There is a policy allowing full access from loc -> net.
> 
> Problem arrises when trying to connect a Cisco VPN client to a VPN server
on the Internet from a
> local workstation.
> 
> The cisco client log shows:
> 
> Automatic NAT Detection Status:
>    Remote end is NOT behind a NAT device
>    This   end IS behind a NAT device
> 
> If I bypass the Linux Shorewall gateway the connection works perfectly.
> This is the only type of connection to the Internet that seems to have
> any problems - www, https, ftp, MSN etc all connect no problem.
> 
> I have tried to remove shorewall from the equation by doing the following
with no luck.
> sudo shorewall clear
> sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j
MASQUERADE
That eliminates Shorewall completely. And I don''t know of anything else
on the Linux gateway that could cause a problem.
> 
> I have searched high and low but have not been able to find anything that
> will help with this problem.  Has anyone else had a similar
> experience?
Afraid not -- my MS ipsec/l2tp client behind my firewall has always
worked flawlessly.
> Can anyone point me in the right direction as this problem is
> completely beyond my knowledge and experience.
> 
> Attached is the status.txt file as created by shorewall dump
> For this example I attempted to connect between 192.168.118.118
> and 203.110.142.69.  If I have missed anything or you need further
> information please let me know.
From the dump, you can see that the initial UDP 500 ISAKMP exchange
worked correctly.
> udp      17 171 src=192.168.118.118 dst=203.110.142.69 sport=500
> dport=500 packets=1 bytes=897 src=203.110.142.69 dst=203.110.148.145
> sport=500 dport=500 packets=5 bytes=1984 [ASSURED] mark=0 use=1
The local client correctly detects NAT and attempts to use NAT-T:
> udp      17 4 src=192.168.118.118 dst=203.110.142.69 sport=4500
> dport=4500 packets=5 bytes=582 [UNREPLIED] src=203.110.142.69
> dst=203.110.148.145 sport=4500 dport=4500 packets=0 bytes=0 mark=0 >
> use=1
But the server has not replied.

My instinct is that the problem lies with your VPN configuration
(probably on the server end -- is it configured for NAT-T? It must be).
But that is only my instinct since I have not used the Cisco VPN client
or server.

Sorry I can''t be of more help.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Thanks for the reply Tom.

Could it have anything to do with Shorewall 3.0 and Kernel 2.6 IPSEC as
discussed on http://shorewall.net/IPSEC-2.6.html

Shorewall is just a front end to netfilter isn''t it?  could it be that
my kernel (2.6.15-23-686) is source of the problem?

Server side isn''t a problem as we have connected the same clients from
a number of different NAT environments without a problem.  Unfortunately this is
the only gateway that has caused this behaviour.  I also have 2 similarly
configured linux gateways (with the same kernel version) that exhibit exactly
the same behaviour.  The idea is to eventually use these 2 boxes to create a HA
gateway using heartbeat.



-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Tom Eastep
Sent: Tuesday, 17 April 2007 2:17 PM
To: Shorewall Users
Subject: Re: [Shorewall-users] IPSec Passthrough fails when using Cisco VPN
client

Peter Wilson wrote:
> I have Shorewall running as an office gateway performing NAT for local
clients to access Internet.
> There is a policy allowing full access from loc -> net.
>
> Problem arrises when trying to connect a Cisco VPN client to a VPN server
on the Internet from a
> local workstation.
>
> The cisco client log shows:
>
> Automatic NAT Detection Status:
>    Remote end is NOT behind a NAT device
>    This   end IS behind a NAT device
>
> If I bypass the Linux Shorewall gateway the connection works perfectly.
> This is the only type of connection to the Internet that seems to have
> any problems - www, https, ftp, MSN etc all connect no problem.
>
> I have tried to remove shorewall from the equation by doing the following
with no luck.
> sudo shorewall clear
> sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j
MASQUERADE
That eliminates Shorewall completely. And I don''t know of anything else
on the Linux gateway that could cause a problem.
>
> I have searched high and low but have not been able to find anything that
> will help with this problem.  Has anyone else had a similar
> experience?
Afraid not -- my MS ipsec/l2tp client behind my firewall has always
worked flawlessly.
> Can anyone point me in the right direction as this problem is
> completely beyond my knowledge and experience.
>
> Attached is the status.txt file as created by shorewall dump
> For this example I attempted to connect between 192.168.118.118
> and 203.110.142.69.  If I have missed anything or you need further
> information please let me know.
>From the dump, you can see that the initial UDP 500 ISAKMP exchange
worked correctly.
> udp      17 171 src=192.168.118.118 dst=203.110.142.69 sport=500
> dport=500 packets=1 bytes=897 src=203.110.142.69 dst=203.110.148.145
> sport=500 dport=500 packets=5 bytes=1984 [ASSURED] mark=0 use=1
The local client correctly detects NAT and attempts to use NAT-T:
> udp      17 4 src=192.168.118.118 dst=203.110.142.69 sport=4500
> dport=4500 packets=5 bytes=582 [UNREPLIED] src=203.110.142.69
> dst=203.110.148.145 sport=4500 dport=4500 packets=0 bytes=0 mark=0 >
> use=1
But the server has not replied.

My instinct is that the problem lies with your VPN configuration
(probably on the server end -- is it configured for NAT-T? It must be).
But that is only my instinct since I have not used the Cisco VPN client
or server.

Sorry I can''t be of more help.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Peter Wilson wrote:
> Thanks for the reply Tom.
> 
> Could it have anything to do with Shorewall 3.0 and Kernel
> 2.6 IPSEC as discussed on http://shorewall.net/IPSEC-2.6.html
Not unless you have configured IPSEC policies on the firewall system. All
the firewall system should see is UDP packets that are destined for another
system.
> 
> Shorewall is just a front end to netfilter isn''t it?
> could it be that my kernel (2.6.15-23-686) is source of the problem?
> 
That''s a possibility, I suppose. That is a fairly old kernel, as
kernels go
(so is your Shorewall -- it is about to go into the
''unsupported'' catagory).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/

Peter:

We had to deal with this some weeks ago.
I think the only part you have missed is the NAT.
Cisco VPN requires the desktop has a valid IP.
So just create a NAT, and you''ll be OK.


If you still has problems, don''t hesitate to contact me and we can do
some test together.

Cheers,

--
Vene.-


-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net] On Behalf Of
Peter Wilson
Sent: Monday, April 16, 2007 10:21 PM
To: shorewall-users@lists.sourceforge.net
Subject: [Shorewall-users] IPSec Passthrough fails when using Cisco
VPNclient

I have Shorewall running as an office gateway performing NAT for local
clients to access Internet.  There is a policy allowing full access from
loc -> net.

Problem arrises when trying to connect a Cisco VPN client to a VPN
server on the Internet from a local workstation.  

The cisco client log shows:

Automatic NAT Detection Status:
   Remote end is NOT behind a NAT device
   This   end IS behind a NAT device

If I bypass the Linux Shorewall gateway the connection works perfectly.
This is the only type of connection to the Internet that seems to have
any problems - www, https, ftp, MSN etc all connect no problem.

I have tried to remove shorewall from the equation by doing the
following with no luck.
sudo shorewall clear
sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j
MASQUERADE

I have searched high and low but have not been able to find anything
that will help with this problem.  Has anyone else had a similar
experience?  Can anyone point me in the right direction as this problem
is completely beyond my knowledge and experience.


Attached is the status.txt file as created by shorewall dump.  For this
example I attempted to connect between 192.168.118.118 and
203.110.142.69.  If I have missed anything or you need further
information please let me know.

Thankyou in advance,
Peter



________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs Email
Security System. BlackList requests should be sent to
blacklist@securities.com, WhiteList requests should be sent to
whitelist@securities.com. Contact the Global Operations Team
(help@securities.com) if you need additional support.
________________________________________________________________________

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/