Dears, I feel stupid as I could setup seamlessly my gateway years ago and now spending hours trying to setup a more recent one.... I have Shorewall and PopTop server running on the same computer. I can establish a VPN link, I can ping to and from my client and the file server (WinNT) on the local subnet but cannot establish any link to shared files or directory. Using ethereal I got an ICMP error messages back from Shorewall computer to the server saying that the host (VPN client) is unreachable however I CAN ping it My poptop interfaces are in a vpn zone vpn ppp+ detect I defined in policy vpn loc accept loc vpn accept vpn $FW accept $FW vpn accept As I need to access VPN through Internet and DMZ I have in Tunnels pptpserver net pptpserver dmz PopTop is configured with proxyarp Feel stupid and getting crazy ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Bogaerts@Studiotech.be wrote:> Dears, > > I feel stupid as I could setup seamlessly my gateway years ago and now > spending hours trying to setup a more recent one.... > > I have Shorewall and PopTop server running on the same computer. > > I can establish a VPN link, I can ping to and from my client and the file > server (WinNT) on the local subnet but cannot > establish any link to shared files or directory. > > Using ethereal I got an ICMP error messages back from Shorewall computer to > the server saying that the host (VPN client) is unreachable > however I CAN ping it > > My poptop interfaces are in a vpn zone > > vpn ppp+ detect > > I defined in policy > vpn loc accept > loc vpn accept > vpn $FW accept > $FW vpn accept > > As I need to access VPN through Internet and DMZ I have in Tunnels > pptpserver net > pptpserver dmz > > PopTop is configured with proxyarp > > > Feel stupid and getting crazyI see that you are running SuSE and that there are no Shorewall messages in /var/log/messages even though there are log messages being generated. Please: a) Set LOGFILE=/var/log/firewall in shorewall.conf so that if you send another dump, we can see the messages. Also, it will allow you to look at the log with the ''shorewall show log'' and ''shorewall logwatch'' commands. b) Look at /var/log/firewall when your VPN connections are failing and see if there are any new messages appearing in that file. If there are, please forward a copy to the list. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Bogaerts@Studiotech.be wrote:> Dears, > > I feel stupid as I could setup seamlessly my gateway years ago and now > spending hours trying to setup a more recent one.... > > I have Shorewall and PopTop server running on the same computer. > > I can establish a VPN link, I can ping to and from my client and the file > server (WinNT) on the local subnet but cannot > establish any link to shared files or directory. > > Using ethereal I got an ICMP error messages back from Shorewall computer to > the server saying that the host (VPN client) is unreachable > however I CAN ping it > > My poptop interfaces are in a vpn zone > > vpn ppp+ detect > > I defined in policy > vpn loc accept > loc vpn accept > vpn $FW accept > $FW vpn accept > > As I need to access VPN through Internet and DMZ I have in Tunnels > pptpserver net > pptpserver dmz > > PopTop is configured with proxyarp > > > Feel stupid and getting crazyAre you trying to access the shares by name? If so, you need AD, WINS or a PDC. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Tom Eastep wrote:> Bogaerts@Studiotech.be wrote: >> Dears, >> >> I feel stupid as I could setup seamlessly my gateway years ago and now >> spending hours trying to setup a more recent one.... >> >> I have Shorewall and PopTop server running on the same computer. >> >> I can establish a VPN link, I can ping to and from my client and the file >> server (WinNT) on the local subnet but cannot >> establish any link to shared files or directory. >> >> Using ethereal I got an ICMP error messages back from Shorewall computer to >> the server saying that the host (VPN client) is unreachable >> however I CAN ping it >> >> My poptop interfaces are in a vpn zone >> >> vpn ppp+ detect >> >> I defined in policy >> vpn loc accept >> loc vpn accept >> vpn $FW accept >> $FW vpn accept >> >> As I need to access VPN through Internet and DMZ I have in Tunnels >> pptpserver net >> pptpserver dmz >> >> PopTop is configured with proxyarp >> >> >> Feel stupid and getting crazy > > Are you trying to access the shares by name? If so, you need AD, WINS or > a PDC.In looking at this again this morning, I think I understand what the problem is. Your PREROUTING rules are ALWAYS setting a mark on traffic from eth0. So all traffic coming in on that interface will use one of the secondary routing tables. These tables do not contain entries for the PPTP clients. You need a routing rule at the 1000 priority that causes traffic to the range of addresses assigned by poptop to use the main routing table. Hopefully, you have assigned a subnet rather than a range with boundries divisible by 5 or 10 because route_rules don''t accept ip ranges. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Dears, After having debugging for hours I have a more precise view of the problem. As soon as TC is enabled I have the problem For testing I don''t change shorewall.conf just commenting entries in "providers" (TC_ENABLED=internal) Problem description: All packets sent to a destination from ppp+ are well routed but no packets back to initiator There is no errors in logs (syslog - shorewall) ICMP packets are well routed I can ping the other party from either side Enabling debug for rules daesn''t show anything I can see traffic from ppp+ and nothing else I used ethereal on the target and have the following ppp to target microsoft-ds init (tcp 445) target to ppp microsoft-ds reply (tcp 445) then from shorewall computer <<ICMP destination unreachable>> Looking forward to hearing from you soon. Jean-Francois Bogaerts -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: mardi 3 mars 2009 23:51 To: Shorewall Users Subject: Re: [Shorewall-users] PopTop server issue ---------------------------------------------------------------------------- -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Bogaerts@Studiotech.be wrote:> Dears, > > > After having debugging for hours I have a more precise view of the problem. > > As soon as TC is enabled I have the problem > For testing I don''t change shorewall.conf just commenting entries in > "providers" > (TC_ENABLED=internal) > > > Problem description: > All packets sent to a destination from ppp+ are well routed but no packets > back to initiator > There is no errors in logs (syslog - shorewall) > ICMP packets are well routed I can ping the other party from either side > > Enabling debug for rules daesn''t show anything I can see traffic from ppp+ > and nothing else > > I used ethereal on the target and have the following > > ppp to target microsoft-ds init (tcp 445) > target to ppp microsoft-ds reply (tcp 445) > then from shorewall computer <<ICMP destination unreachable>>Please see my last post in this thread. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H
Dear Tom, Your message crossed mine where I gave the result of my debuging hours :-( Indeed adding the route rule solved the problem You are a Master, having figured out this without extra input. MANY THANKS -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: mercredi 4 mars 2009 16:54 To: Shorewall Users Subject: Re: [Shorewall-users] PopTop server issue ---------------------------------------------------------------------------- -- Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H