I see support in shorewall for the KAME-tools, how about strongswan ? I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my vpn-gateway for the subnet behind it. # Shorewall version 3.4 - Zones File #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall fil ipsec mode=tunnel mss=1400 net ipv4 loc ipv4 vpn1 ipv4 vpn2 ipv4 # Shorewall version 3.4 - Tunnels File #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:7777 net 0.0.0.0/0 openvpnserver:7778 net 0.0.0.0/0 ipsec net 212.168.178.226 # Shorewall version 3.4 - Hosts file #ZONE HOST(S) OPTIONS fil eth1:192.168.246.0/24 ipsec # Shorewall version 3.4 - Interfaces File #ZONE INTERFACE BROADCAST OPTIONS net eth1 detect norfc1918,nosmurfs loc eth0 detect vpn1 tun0 (these are openvpn tunnels) vpn2 tun1 ... policy (for teseting only) # IPSec - VPN fil fw ACCEPT fw fil ACCEPT fil loc ACCEPT loc fil ACCEPT My problem is to reach the remote sites, from remote station to hosts on the LAN behind the shorewall there is no problem at all. But how does shorewall "help" routing to recognize that those private IPs are to be reached through the ipsec tunnel ? There is no transfer net like with OpenVPN where I could easily add routes by hand. What am I doing wrong here ? Thanks in advance for any hint. Best regards from Germany, -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Philipp Rusch wrote:> I see support in shorewall for the KAME-tools, how about strongswan ?Shorewall does not have support for the KAME-tools. The Shorewall IPSEC-2.6 documentation happens to use the KAME-tools to configure IPSEC but there is nothing in Shorewall that is KAME-specific.> I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my > vpn-gateway for the subnet behind it. > > # Shorewall version 3.4 - Zones File > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > fil ipsec mode=tunnel mss=1400 > net ipv4 > loc ipv4 > vpn1 ipv4 > vpn2 ipv4 > > # Shorewall version 3.4 - Tunnels File > #TYPE ZONE GATEWAY GATEWAY > # ZONE > openvpnserver:7777 net 0.0.0.0/0 > openvpnserver:7778 net 0.0.0.0/0 > ipsec net 212.168.178.226 > > # Shorewall version 3.4 - Hosts file > #ZONE HOST(S) OPTIONS > fil eth1:192.168.246.0/24 ipsec > > # Shorewall version 3.4 - Interfaces File > #ZONE INTERFACE BROADCAST OPTIONS > net eth1 detect norfc1918,nosmurfs > loc eth0 detect > vpn1 tun0 (these are openvpn tunnels) > vpn2 tun1 ... > > policy (for teseting only) > # IPSec - VPN > fil fw ACCEPT > fw fil ACCEPT > fil loc ACCEPT > loc fil ACCEPT > > > My problem is to reach the remote sites, from remote station to hosts on > the LAN behind the shorewall > there is no problem at all.So remote sites can reach local ones but local ones can''t reach remote ones?> But how does shorewall "help" routing to recognize that those private > IPs are to be reached through the > ipsec tunnel ?a) Shorewall doesn''t ''help'' anything. If this IPSEC setup doesn''t work without Shorewall, then it won''t work with Shorewall. b) Under kernel 2.6, IPSEC policies are totally separate from routing. There is no transfer net like with OpenVPN where I could> easily add routes by hand. > > What am I doing wrong here ?a) Does everything work if you "shorewall clear" then run this command? iptables -A FORWARD -j TCPMSS --set-mss 1400 If it doesn''t, then the problem has nothing to do with Shorewall. b) If everything works without Shorewall, then what are you seeing in your Shorewall log? c) If you can''t solve the problem by looking at your log then please follow the instructions at http://www.shorewall.net/support.htm#Guidelines. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep schrieb:> Philipp Rusch wrote: > >> I see support in shorewall for the KAME-tools, how about strongswan ? >> > > Shorewall does not have support for the KAME-tools. The Shorewall > IPSEC-2.6 documentation happens to use the KAME-tools to configure IPSEC > but there is nothing in Shorewall that is KAME-specific. > > >> I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my >> vpn-gateway for the subnet behind it. >> >> # Shorewall version 3.4 - Zones File >> #ZONE TYPE OPTIONS IN OUT >> # OPTIONS OPTIONS >> fw firewall >> fil ipsec mode=tunnel mss=1400 >> net ipv4 >> loc ipv4 >> vpn1 ipv4 >> vpn2 ipv4 >> >> # Shorewall version 3.4 - Tunnels File >> #TYPE ZONE GATEWAY GATEWAY >> # ZONE >> openvpnserver:7777 net 0.0.0.0/0 >> openvpnserver:7778 net 0.0.0.0/0 >> ipsec net 212.168.178.226 >> >> # Shorewall version 3.4 - Hosts file >> #ZONE HOST(S) OPTIONS >> fil eth1:192.168.246.0/24 ipsec >> >> # Shorewall version 3.4 - Interfaces File >> #ZONE INTERFACE BROADCAST OPTIONS >> net eth1 detect norfc1918,nosmurfs >> loc eth0 detect >> vpn1 tun0 (these are openvpn tunnels) >> vpn2 tun1 ... >> >> policy (for teseting only) >> # IPSec - VPN >> fil fw ACCEPT >> fw fil ACCEPT >> fil loc ACCEPT >> loc fil ACCEPT >> >> >> My problem is to reach the remote sites, from remote station to hosts on >> the LAN behind the shorewall >> there is no problem at all. >> > > So remote sites can reach local ones but local ones can''t reach remote ones? > >YES, exactly - and in addition, I have major problems to connect to the fw itself (e.g. with PUTTY) from remote and then start mc or YAST from the TTY-screen, which produces some traffic, then this session hangs.>> But how does shorewall "help" routing to recognize that those private >> IPs are to be reached through the >> ipsec tunnel ? >> > > a) Shorewall doesn''t ''help'' anything. If this IPSEC setup doesn''t work > without Shorewall, then it won''t work with Shorewall. > b) Under kernel 2.6, IPSEC policies are totally separate from routing. > > There is no transfer net like with OpenVPN where I could > >> easily add routes by hand. >> >> What am I doing wrong here ? >> > > a) Does everything work if you "shorewall clear" then run this command? > > iptables -A FORWARD -j TCPMSS --set-mss 1400 > > If it doesn''t, then the problem has nothing to do with Shorewall. >I will try this tomorrow, it''s late at night here.> b) If everything works without Shorewall, then what are you seeing in > your Shorewall log? >If I ping or traceroute to a remote private ip address it goes to the all2all queue which means to me that shorewall is not setup correctly for those tunnels.> c) If you can''t solve the problem by looking at your log then please > follow the instructions at http://www.shorewall.net/support.htm#Guidelines. >OK - I will do this tomorrow. Thanks for your time, Tom !> -Tom > > ------------------------------------------------------------------------Regards, Philipp ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Hello Tom, I did what you suggested:>> a) Does everything work if you "shorewall clear" then run this command? >> >> iptables -A FORWARD -j TCPMSS --set-mss 1400 >> >> If it doesn''t, then the problem has nothing to do with Shorewall >>I get an error : "iptables: Unknown error 18446744073709551615" What does that mean ? Is my kernel broken ? OK- googled for that error and found some discussion in lists.netfilter.org ... but, to be honest, I don''t understand/know what to do know. This seems to related to my very new kernel I am using here. The system has been setup with SuSE 10.1 "remastered version" and afterwards updated to the latest "YOU"-patches and all the stuff that comes automatically from SuSE as fixes and patches. How do I go on now ? Regards, -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Addition: This is kernel-smp-2.6.16.27-0.9 of SuSE 10.1 x86_64 on a Xeon 3.2GHz EM64T Philipp Rusch schrieb:> Hello Tom, > > I did what you suggested: >>> a) Does everything work if you "shorewall clear" then run this command? >>> >>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>> >>> If it doesn''t, then the problem has nothing to do with Shorewall >>> > I get an error : "iptables: Unknown error 18446744073709551615" > > What does that mean ? Is my kernel broken ? > OK- googled for that error and found some discussion in > lists.netfilter.org ... > but, to be honest, I don''t understand/know what to do know. > This seems to related to my very new kernel I am using here. > The system has been setup with SuSE 10.1 "remastered version" and > afterwards > updated to the latest "YOU"-patches and all the stuff that comes > automatically > from SuSE as fixes and patches. > How do I go on now ? > > Regards, > -- > Mit freundlichen Grüßen, > Philipp Rusch------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Philipp Rusch wrote:> Hello Tom, > > I did what you suggested: >>> a) Does everything work if you "shorewall clear" then run this command? >>> >>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>> >>> If it doesn''t, then the problem has nothing to do with Shorewall >>> > I get an error : "iptables: Unknown error 18446744073709551615" > > What does that mean ? Is my kernel broken ? > OK- googled for that error and found some discussion in > lists.netfilter.org ... > but, to be honest, I don''t understand/know what to do know. >It''s an old bug that has been fixed for months that the "Enterprise" distributions are just now encountering. At any rate, the command I gave you was incomplete. It should have been: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 Sorry for the confusion, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep schrieb:> Philipp Rusch wrote: > >> Hello Tom, >> >> I did what you suggested: >> >>>> a) Does everything work if you "shorewall clear" then run this command? >>>> >>>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>>> >>>> If it doesn''t, then the problem has nothing to do with Shorewall >>>> >>>> >> I get an error : "iptables: Unknown error 18446744073709551615" >> >> What does that mean ? Is my kernel broken ? >> OK- googled for that error and found some discussion in >> lists.netfilter.org ... >> but, to be honest, I don''t understand/know what to do know. >> >> > > It''s an old bug that has been fixed for months that the "Enterprise" > distributions are just now encountering. > > At any rate, the command I gave you was incomplete. It should have been: > > iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 > > Sorry for the confusion, > > -Tom >Tom, I did shorewall clear and then the command above. Ipsec-tunnel was running all the time, I did ping from "inside" to "remote" - no replies. But the packets don''t go to the ipsec-zone "fil" they are handled in all2all chain. What can I do to further investigate that setup? BTW - this morning I had to do a complete restart with the firewall system - a thing I never had to do with shorewall so far. Did not have any error in var/logs/firewall nor in /var/logs/messages, system just did not accept any dns-request, which are just to be natted and routed to the ISP over there. - Strange - Could this hickup be the result of my faulty ipsec-setup? -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Philipp Rusch wrote:> Tom Eastep schrieb: >> Philipp Rusch wrote: >> >>> Hello Tom, >>> >>> I did what you suggested: >>> >>>>> a) Does everything work if you "shorewall clear" then run this command? >>>>> >>>>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>>>> >>>>> If it doesn''t, then the problem has nothing to do with Shorewall >>>>> >>>>> >>> I get an error : "iptables: Unknown error 18446744073709551615" >>> >>> What does that mean ? Is my kernel broken ? >>> OK- googled for that error and found some discussion in >>> lists.netfilter.org ... >>> but, to be honest, I don''t understand/know what to do know. >>> >>> >> >> It''s an old bug that has been fixed for months that the "Enterprise" >> distributions are just now encountering. >> >> At any rate, the command I gave you was incomplete. It should have been: >> >> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 >> >> Sorry for the confusion, >> >> -Tom >> > Tom, > > I did shorewall clear and then the command above. > Ipsec-tunnel was running all the time, I did ping from "inside" to > "remote" - no replies.So FIX THAT FIRST! I''ll tell you once more; if it doesn''t work without Shorewall then it isn''t going to work with Shorewall. Once you make it work without Shorewall, THEN if it won''t work with Shorewall then we can help you. Not before.> But the packets don''t go to the ipsec-zone "fil" they are handled in > all2all chain. > What can I do to further investigate that setup?Philipp -- I''ve told you what to do. My post had 3 steps, the third of which was c) If you can''t solve the problem by looking at your log then please follow the instructions at http://www.shorewall.net/support.htm#Guidelines> BTW - this morning I had to do a complete restart with the firewall > system - a thing I > never had to do with shorewall so far. Did not have any error in > var/logs/firewall nor > in /var/logs/messages, system just did not accept any dns-request, which > are just > to be natted and routed to the ISP over there. - Strange - > Could this hickup be the result of my faulty ipsec-setup?How could we possibly know? All we have seen are snippets of your Shorewall configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Tom Eastep schrieb:> Philipp Rusch wrote: > >> Tom Eastep schrieb: >> >>> Philipp Rusch wrote: >>> >>> >>>> Hello Tom, >>>> >>>> I did what you suggested: >>>> >>>> >>>>>> a) Does everything work if you "shorewall clear" then run this command? >>>>>> >>>>>> iptables -A FORWARD -j TCPMSS --set-mss 1400 >>>>>> >>>>>> If it doesn''t, then the problem has nothing to do with Shorewall >>>>>> >>>>>> >>>>>> >>>> I get an error : "iptables: Unknown error 18446744073709551615" >>>> >>>> What does that mean ? Is my kernel broken ? >>>> OK- googled for that error and found some discussion in >>>> lists.netfilter.org ... >>>> but, to be honest, I don''t understand/know what to do know. >>>> >>>> >>>> >>> It''s an old bug that has been fixed for months that the "Enterprise" >>> distributions are just now encountering. >>> >>> At any rate, the command I gave you was incomplete. It should have been: >>> >>> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1400 >>> >>> Sorry for the confusion, >>> >>> -Tom >>> >>> >> Tom, >> >> I did shorewall clear and then the command above. >> Ipsec-tunnel was running all the time, I did ping from "inside" to >> "remote" - no replies. >> > > So FIX THAT FIRST! I''ll tell you once more; if it doesn''t work without > Shorewall then it isn''t going to work with Shorewall. Once you make it work > without Shorewall, THEN if it won''t work with Shorewall then we can help > you. Not before. > > >> But the packets don''t go to the ipsec-zone "fil" they are handled in >> all2all chain. >> What can I do to further investigate that setup? >> > > Philipp -- I''ve told you what to do. My post had 3 steps, the third of which was > > c) If you can''t solve the problem by looking at your log then please > follow the instructions at http://www.shorewall.net/support.htm#Guidelines > > >> BTW - this morning I had to do a complete restart with the firewall >> system - a thing I >> never had to do with shorewall so far. Did not have any error in >> var/logs/firewall nor >> in /var/logs/messages, system just did not accept any dns-request, which >> are just >> to be natted and routed to the ISP over there. - Strange - >> Could this hickup be the result of my faulty ipsec-setup? >> > > How could we possibly know? All we have seen are snippets of your Shorewall > configuration. > > -Tom > > ------------------------------------------------------------------------Tom, I didn''t get this mail until now... strange Regards from Germany, -- Mit freundlichen Grüßen, Philipp Rusch ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/