I have been struggling with a problem with a ipsec/l2tp vpn server on my firewall for a long time. The user will tell windows to connect, and they connect to the ipsec just fine, connect to l2tpd just fine, get a ip from pppd just fine. However once the ppp interface comes up on the server ipsec starts to spit this message out Mar 3 21:59:26 firewall pluto[5135]: ERROR: asynchronous network error report on br0 (sport=4500) for message to 155.97.239.238 port 4500, complainant ***.***.103.174: No route to host [errno 113, origin I CMP type 3 code 1 (not authenticated)] I see that twice and the tunnel comes down. Another thing I have noticed is that I can ping 155.97.239.238 before the connection attempt and after the tunnel is torn down. However when the connection has been established, I can''t ping that IP, I see the same message the ipsec server spits out "No route to host". So I did the logical thing and checked the routing table before, during and after a connection and this is what I saw. before and after default ***-***-103-161. 255.255.255.240 UG 0 0 0 br0 localnet * 255.255.255.240 U 0 0 0 br0 192.168.2.0 * 255.255.255.0 U 0 0 0 bond0.101 192.168.1.0 * 255.255.255.0 U 0 0 0 bond0.103 192.168.0.0 * 255.255.255.0 U 0 0 0 bond0.100 default ***-***-103-161. 0.0.0.0 UG 0 0 0 br0 during re-east-2-238. * 255.255.255.255 UH 0 0 0 br0 192.168.0.248 * 255.255.255.255 UH 0 0 0 ppp0 default ***-***-103-161. 255.255.255.240 UG 0 0 0 br0 localnet * 255.255.255.240 U 0 0 0 br0 192.168.2.0 * 255.255.255.0 U 0 0 0 bond0.101 192.168.1.0 * 255.255.255.0 U 0 0 0 bond0.103 192.168.0.0 * 255.255.255.0 U 0 0 0 bond0.100 default ***-***-103-161. 0.0.0.0 UG 0 0 0 br0 re-east-2-238 is the rdns for the client. So the only thing that I can come up with is that the first route that gets added (by ppp or by the firewall?) is breaking everything. But I have no idea where its coming from. Can anyone help? Here are my configs for the firewall for vpn. hosts vpn br0:0.0.0.0/0 interfaces loc ppp+ detect <-- is this right? tunnels ipsec net 0.0.0.0/0 vpn ipsecnat net 0.0.0.0/0 vpn zones vpn ipsec loc ipv4 rules ACCEPT $FW vpn udp 1701 ACCEPT vpn $FW udp 1701 ACCEPT net $FW udp 4500 Oh, and one more odd thing about this vpn, when i''m on the ***-***-103-161. 255.255.255.240 subnet (so outside the firewall but still on our own public ip space). The vpn works like a charm, no problems at all (which is also why this problem is so confusing). Thanks for your time Andrew T. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Tolboe wrote:> > Thanks for your time >Please start by reading http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP. Your configuration looks nothing like what is recommended there. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, Mar 07, 2008 at 06:36:15PM -0700, Andrew Tolboe wrote:> I have been struggling with a problem with a ipsec/l2tp vpn server on my > firewall for a long time. The user will tell windows to connect, and > they connect to the ipsec just fine, connect to l2tpd just fine, get a > ip from pppd just fine. However once the ppp interface comes up on the > server ipsec starts to spit this message out > > Mar 3 21:59:26 firewall pluto[5135]: ERROR: asynchronous network error > report on br0 (sport=4500) for message to 155.97.239.238 port 4500, > complainant ***.***.103.174: No route to host [errno 113, origin I > CMP type 3 code 1 (not authenticated)] >As Tom pointed out, please read the documentation on this: http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP If you still have trouble let us know.> > Oh, and one more odd thing about this vpn, when i''m on the > ***-***-103-161. 255.255.255.240 subnet (so outside the firewall but > still on our own public ip space). The vpn works like a charm, no > problems at all (which is also why this problem is so confusing). >Do you have NAT-Traversal enabled on your VPN? Also, please run the ''route'' command with the -n option so that we only get addresses and not host names. Also, please quit mangling the IP addresses in the way that you are doing, as it just makes the output more difficult and annoying to read. You do not gain anything in the way of security. Besides, 166.70.103.174 is much easier to read than is ***.***.103.174. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Andrew Tolboe wrote: > > >> Thanks for your time >> >> > > Please start by reading http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP. > Your configuration looks nothing like what is recommended there. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Sorry I didn''t catch that on the website, I had been looking around the website a month or two ago trying to initially set this up and don''t remember seeing that in the VPN section. Anyway, I applied everything on the l2tp section there and I have exactly the same results. Thanks -Andrew ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Fri, Mar 07, 2008 at 10:12:47PM -0700, Andrew Tolboe wrote:> > Sorry I didn''t catch that on the website, I had been looking around the > website a month or two ago trying to initially set this up and don''t > remember seeing that in the VPN section. Anyway, I applied everything > on the l2tp section there and I have exactly the same results. >OK. If you implemented the configuration as documented and you have NAT-T enabled, then I am not really sure. Can you start by sending (off-list if you prefer) your configurations for ipsec, l2tp and shorewall? Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Tolboe wrote:> Sorry I didn''t catch that on the website, I had been looking around the > website a month or two ago trying to initially set this up and don''t > remember seeing that in the VPN section. Anyway, I applied everything > on the l2tp section there and I have exactly the same results.Then you need to read the website more: http://www.shorewall.net/support.htm for example. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Andrew Tolboe wrote: > > >> Sorry I didn''t catch that on the website, I had been looking around the >> website a month or two ago trying to initially set this up and don''t >> remember seeing that in the VPN section. Anyway, I applied everything >> on the l2tp section there and I have exactly the same results. >> > > Then you need to read the website more: http://www.shorewall.net/support.htm > for example. > > -Tom > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >Tom, I did read that page, and I read most everything in the 3.x documentation (definitively everything to do with vpn) and support. Perhaps on your website you should note that there is 3.x documentation in the 4.x documentation. I have only been polite and I really don''t need help from someone who is going to be rude. Later Andrew ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Sat, Mar 08, 2008 at 01:26:42AM -0700, Andrew Tolboe wrote:> > I did read that page, and I read most everything in the 3.x > documentation (definitively everything to do with vpn) and support. > Perhaps on your website you should note that there is 3.x documentation > in the 4.x documentation. I have only been polite and I really don''t > need help from someone who is going to be rude. >I am doubtful that you read that page. If so, you would have forwarded the shorewall dump output as requested in the support guidelines. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Andrew Tolboe wrote:> > I did read that page, and I read most everything in the 3.x > documentation (definitively everything to do with vpn) and support. > Perhaps on your website you should note that there is 3.x documentation > in the 4.x documentation. I have only been polite and I really don''t > need help from someone who is going to be rude.It was not my intention to be rude. But "I followed the instructions and it didn''t work" gives us nothing to help us solve your problem. The "shorewall dump" facility has evolved over the years to the point that we can solve almost any Shorewall problem (and many network configuration problems) by looking at the output. As mentioned on the support page, if you are squeamish about posting your detailed firewall information on the mailing list, you can forward the dump to support@shorewall.net. But please keep the conversation here on the list so others may benefit from your experience. As to the organization of the web site, if you go to www.shorewall.net and click on the ''Documentation'' link in the left-hand frame, it will be abundantly clear that there is separate 3.x and 4.x documentation. If you use a search engine to go directly to an article, the organization may not be clear. C''est la vie. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/