Götz Reinicke
2007-Jul-02 14:44 UTC
ipsec tunnel from behind NATing shorewall - sort off OT may be
Hi, we have the task to setup a vpn tunnel between a remote network and a vpn gateway (astaro firewall) which is located behind my shorewall (like in this setup: http://jixen.tripod.com/ -> Subnet-to-Subnet configuration with a NATed gateway. but with other IPs ;-)) I''d like to find out, if the problem is the shorewall or the astaro firewall. So far the gateways can communicate through our shorewall (ping, tracerout, https-access), but the VPN ID is wrong (thats the information I do get from the remote admin.). The remote connection is established to the public ip aaa.aaa.aaa.aaa, but the response is from the private ip bbb.bbb.bbb.bbb. I''v read about NAT Traversal (NAT-T) and read the shorewall dokumentation (http://www.shorewall.net/VPNBasics.html and http://www.shorewall.net/manpages/shorewall-tunnels.html) but I''m not sure, that I''v understand everything right. May be you could give me a hint on the following question: - Do I have to set up a tunnel config on my shorewall? (I thought it would be enough to set up nat-to-nat from the public IP to an internal IP and open the requierd ports from the remote gateway to the internal gateway.) All I''ve read so far concernes traffic between the shorewall an other hosts (like described here: http://www.shorewall.net/manpages/shorewall-tunnels.html) and not the traffic between two remote hosts. Thanks for any hints pushing me into the right direction! Best regards Götz Reinicke -- Götz Reinicke IT Koordinator Tel. +49 7141 969 420 Fax +49 7141 969 55 420 E-Mail goetz.reinicke@filmakademie.de Filmakademie Baden-Württemberg GmbH Mathildenstr. 20 71638 Ludwigsburg www.filmakademie.de Eintragung Amtsgericht Stuttgart HRB 205016 Vorsitzender des Aufsichtsrats: Dr. Christoph Palmer, MdL, Minister a.D. Geschäftsführer: Prof. Thomas Schadt ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Jul-02 19:27 UTC
Re: ipsec tunnel from behind NATing shorewall - sort off OT may be
Götz Reinicke wrote:> Hi, > > we have the task to setup a vpn tunnel between a remote network and a > vpn gateway (astaro firewall) which is located behind my shorewall (like > in this setup: http://jixen.tripod.com/ -> Subnet-to-Subnet > configuration with a NATed gateway. but with other IPs ;-)) > > I''d like to find out, if the problem is the shorewall or the astaro > firewall. > > So far the gateways can communicate through our shorewall (ping, > tracerout, https-access), but the VPN ID is wrong (thats the information > I do get from the remote admin.). > > The remote connection is established to the public ip aaa.aaa.aaa.aaa, > but the response is from the private ip bbb.bbb.bbb.bbb. > > I''v read about NAT Traversal (NAT-T) and read the shorewall > dokumentation (http://www.shorewall.net/VPNBasics.html and > http://www.shorewall.net/manpages/shorewall-tunnels.html) but I''m not > sure, that I''v understand everything right. > > May be you could give me a hint on the following question: > > - Do I have to set up a tunnel config on my shorewall? (I thought it > would be enough to set up nat-to-nat from the public IP to an internal > IP and open the requierd ports from the remote gateway to the internal > gateway.)You need no tunnel configuration. You must use nat-traversal on the VPN link if you want it to work reliably. In that case, you simply need to accept UDP 500 and UDP 4500 in both directions.> > All I''ve read so far concernes traffic between the shorewall an other > hosts (like described here: > http://www.shorewall.net/manpages/shorewall-tunnels.html) and not the > traffic between two remote hosts. > > > Thanks for any hints pushing me into the right direction!As always, we need the information requested at http://www.shorewall.net/support.htm#Guidelines in order to be very helpful. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Bob Proulx
2007-Jul-03 01:35 UTC
Re: ipsec tunnel from behind NATing shorewall - sort off OT may be
Götz Reinicke wrote:> So far the gateways can communicate through our shorewall (ping, > tracerout, https-access), but the VPN ID is wrong (thats the information > I do get from the remote admin.).You are getting information second-hand. We are now getting this information third-hand. Each layer makes it more difficult.> The remote connection is established to the public ip aaa.aaa.aaa.aaa, > but the response is from the private ip bbb.bbb.bbb.bbb.This sounds very similar to a problem I experienced. For reference, here is the previous discussion. http://thread.gmane.org/gmane.comp.security.shorewall/15050/focus=15061 In my case packets destination addresses were getting translated but source addresses were not. I needed both. In that previous discussion I asked:> > > Shouldn''t the source address have been translated to be from 10.1.0.1?Tom answered:> > No. > > ...later in another message... > > The rewriting of the source address in a packet (SNAT) is *always* a > > work-around for some sort of inadequate routing and Shorewall doesn''t > > assume that the whole world has broken routing.(I still disagree that this is a workaround for a routing problem but that is another discussion. However understanding how this control is split into two pieces allowed me to do what I wanted regardless and all is happy now.) With this knowledge everything fell into place for me. I needed both a DNAT- entry in the rules file and an entry in the masq file so that translations would occur to packets both source and destination. Tom suggested:> > So you could rewrite your nat entry as: > > /etc/shorewall/masq: > > eth0 10.1.0.2 15.6.88.149 > > /etc/shorewall/rules: > > DNAT- net loc:10.1.0.2 - - - 15.6.88.149Your situation sounds similar when you say that the response is coming from the private IP address and is not getting translated. Therefore perhaps you have fallen into the same situation? There was not enough information to really know what was going on with your case but I will offer this as one possibility because to me it "smelled" the same. Bob ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep
2007-Jul-03 17:11 UTC
Re: ipsec tunnel from behind NATing shorewall - sort off OT may be
Bob Proulx wrote:> Your situation sounds similar when you say that the response is coming > from the private IP address and is not getting translated. Therefore > perhaps you have fallen into the same situation? There was not enough > information to really know what was going on with your case but I will > offer this as one possibility because to me it "smelled" the same. >If I recall correctly, the key element in Bob''s setup was that the local simple device didn''t support setting a default route. So SNAT had to be used on incoming traffic so that the device was able to reply. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Bob Proulx
2007-Jul-06 01:26 UTC
Re: ipsec tunnel from behind NATing shorewall - sort off OT may be
Tom Eastep wrote:> If I recall correctly, the key element in Bob''s setup was that the local > simple device didn''t support setting a default route. So SNAT had to be used > on incoming traffic so that the device was able to reply.Yes and no. That was certainly one way that it manifested as a problem. I was getting test devices with the os in rom that I could not change and they did not expect to see addresses from off of their local subnet. But also I *wanted* both source and destination addresses to be translated. Since it was not doing what I wanted it to do I kept working at it until it did. :-) I was quite happy with the result that I needed to specify separately that both translations needed to occur. I just needed to get to that point in my understanding. After I understood it then I was good to go. Also let me say that I am very happy with Shorewall. It has been a superior solution for me for quite a few years now. Thanks Tom! Bob ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/