Hi everyone SuSe Linux Enterprise Server SP3 completely patched with kernel 2.6.16.60, OpenSwan 2.4.4 is on firewall machine and terminating 12 IPSEC VPN tunnels, so IPSEC gateway is on the firewall system. Shorewall is version 4.4.2.2 On the other side is various equipment, Cisco, Lucent, Fortinet and Zyxel firewalls, with all I have IPSEC LAN-to-LAN routed (no NAT) tunnels (PSK). From 1 Cisco and 2 Fortinet firewalls I noticed in logs that Shorewall is blocking UDP packets port 500 from WAN IP''s of those routers to my WAN port firewall also UDP port 500. Log looks like this (actual IPs changed) -(lan)-Shorewall-(INT zone, eth1)- 1.1.1.1 ..... 2.2.2.2 -(wan)-Fortigate-(lan)- May 21 15:21:23 FW kernel: Shorewall:INT2fw:DROP:IN=eth1 OUT= MAC=XXX SRC=2.2.2.2 DST=1.1.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=54 ID=22964 PROTO=UDP SPT=500 DPT=500 LEN=76 Why is Shorewall blocking those packets? IPSEC VPN is configured 100% according to documentation on address http://www.shorewall.net/IPSEC-2.6.html Tunnels are configured as I described, shouldn''t those ports be always opened for my and other router''s WAN IP''s for UDP on port 500? I can provide config (tunnels, zones, hosts) files for shorewall and openswan (ipsec.conf/ipsec.secrets) if needed. Thanks, regards -- *Ivica Glavočić* Laser Line d.o.o. Tribje 17, 52470 Umag tel.: +385 52 725 600 fax: +385 52 725 610 OIB: 26680017138 mail: ivica.glavocic@laserline.hr <mailto:ivica.glavocic@laserline.hr> mail: sys@laserline.hr <mailto:sys@laserline.hr> web: http://www.laserline.hr ------------------------------------------------------------------------------
On 5/21/10 8:00 AM, Ivica Glavocic wrote:> > I can provide config (tunnels, zones, hosts) files for shorewall and > openswan (ipsec.conf/ipsec.secrets) if needed. >Instead, how about supplying what we ask for at http://www.shorewall.net/support.htm#Guidelines (output of ''shorewall dump'' taken after the connection fails). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
Thank you for reply, I know about Problem Reporting Guidelines, but since this is border firewall in production enviroment, I would avoid if possible using real IP addresses and rules, thats why shorewall dump is risky for me in terms of security and reason why I changed those values in initial mail. Is there any other method to send you information you need but with fake IP''s, just to demonstrate what the problem is? Thanks, regards Ivica Glavocic On 21.5.2010 19:53, Tom Eastep wrote:> On 5/21/10 8:00 AM, Ivica Glavocic wrote: > > >> I can provide config (tunnels, zones, hosts) files for shorewall and >> openswan (ipsec.conf/ipsec.secrets) if needed. >> >> > Instead, how about supplying what we ask for at > http://www.shorewall.net/support.htm#Guidelines (output of ''shorewall > dump'' taken after the connection fails). > > -Tom > > > > ------------------------------------------------------------------------------ > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------
Ivica Glavocic wrote:> Thank you for reply, I know about Problem Reporting Guidelines, but > since this is border firewall in production enviroment, I would avoid if > possible using real IP addresses and rules, thats why shorewall dump is > risky for me in terms of security and reason why I changed those values > in initial mail. > > Is there any other method to send you information you need but with fake > IP''s, just to demonstrate what the problem is?No. But it sounds like you have a missing or incorrect entry in /etc/shorewall/tunnels. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
I double checked it, should be OK. Nevertheless, here are all relevant Shorewall config files with changed IPs: My system: WAN interface eth1, zone INT, IP 1.1.1.1 , tunnel in it''s own zone VPNit Remote system: Fortigate WAN IP 2.2.2.2, LAN 10.0.0.0/16 /etc/shorewall/zones INT ipv4 VPNit ipv4 /etc/shorewall/interfaces INT eth1 /etc/shorewall/policy LAN VPNit ACCEPT info /etc/shorewall/tunnels ipsec INT 1.1.1.1 /etc/shorewall/hosts VPNit eth1:10.0.0.0/16,2.2.2.2 ipsec Tunnel is up and runing all looks OK untill packets arrive on firewall with source 2.2.2.2:500 destination 1.1.1.1:500, they are dropped (that is the question: why?) and after some time (2-3 hours) remote router detects dead tunnel and communication trough it stops. On my side tunnel looks perfectly OK. ipsec.conf, ipsec.secrets are from start OK, tunnel is up and running untill firewall starts blocking it. Thanks, regards Ivica Glavocic On 24.5.2010 15:26, Tom Eastep wrote:> Ivica Glavocic wrote: > >> Thank you for reply, I know about Problem Reporting Guidelines, but >> since this is border firewall in production enviroment, I would avoid if >> possible using real IP addresses and rules, thats why shorewall dump is >> risky for me in terms of security and reason why I changed those values >> in initial mail. >> >> Is there any other method to send you information you need but with fake >> IP''s, just to demonstrate what the problem is? >> > No. But it sounds like you have a missing or incorrect entry in > /etc/shorewall/tunnels. > > -Tom >------------------------------------------------------------------------------
On 5/24/10 7:13 AM, Ivica Glavocic wrote:> I double checked it, should be OK. Nevertheless, here are all relevant > Shorewall config files with changed IPs: > > My system: WAN interface eth1, zone INT, IP 1.1.1.1 , tunnel in it''s own > zone VPNit > Remote system: Fortigate WAN IP 2.2.2.2, LAN 10.0.0.0/16 > > /etc/shorewall/zones > INT ipv4 > VPNit ipv4 > > /etc/shorewall/interfaces > INT eth1 > > /etc/shorewall/policy > LAN VPNit ACCEPT info > > /etc/shorewall/tunnels > ipsec INT 1.1.1.1------- Should be 2.2.2.2 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------
On 24.5.2010 16:18, Tom Eastep wrote:> On 5/24/10 7:13 AM, Ivica Glavocic wrote: > >> I double checked it, should be OK. Nevertheless, here are all relevant >> Shorewall config files with changed IPs: >> >> /etc/shorewall/tunnels >> ipsec INT 1.1.1.1 >> > ------- > > Should be 2.2.2.2 >I missed it, you are right, it really should be IP of remote endpoint. I changed it for all tunnels, everything seems to be forking fine now, no more logged drops. Thank you very much for assistance. Regards Ivica Glavocic ------------------------------------------------------------------------------