Shorewall users - Sep 2010 - [HELP REQUEST]: Connecting multiple VPN interfaces

Hi,

It''s my first time writing on the list, for one question:

If isn''t the correct site, please tell me and ignore message.

I have multiple shorewall configured across my networks, but i have one
problem with one of them:
First, include an schema:

------------      ------------
|          |      |          |
|   VPN1   |      |   VPN2   |
|          |      |          |
------------      ------------
           |      |
         ------------      ------------
         |          |      |          |
         |    FW    |------|   eth0   |
         |          |      |          |
         ------------      ------------
           |      |
------------      ------------
|          |      |          |
|   VPN3   |      |   VPN4   |
|          |      |          |
------------      ------------
The concept are simple. I have 4 VPN connections, and one LAN on eth0.

All VPN can connect to the LAN, and the LAN can connect to the VPN''s.

My problem are who try to send one packet from one VPN to another. The
machines have the routes configured correctly, but the FW reject these
packages.

My configuration are:

zones:
PPTP    ipv4
interfaces:
PPTP    ppp+
policy:
PPTP            all             ACCEPT

But, when i try to send a ping from VPN1 to VPN2, i receive these log on the
FW:
Sep 14 16:57:35 fw kernel: [12250627.652278]
Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202
DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=2538 SEQ=1
I don''t know what''s the problem but i need to allow traffic
forward between
ppp''s interfaces. I''ve tried to declare each interface with
these config:


/etc/shorewall/zones:

#ZONE           TYPE
vpn1            ipv4
vpn2            ipv4
vpn3            ipv4

/etc/shorewall/interfaces:

#ZONE          INTERFACE         BROADCAST        OPTIONS
-              ppp+

/etc/shorewall/hosts:

#ZONE          HOST(S)                   OPTIONS
vpn1           ppp+:192.168.1.0/24
vpn2 <http://192.168.1.0/24vpn2>           ppp+:192.168.2.0/24
vpn3 <http://192.168.2.0/24vpn3>           ppp+:192.168.3.0/24

(Obiously changing the IP configuration)
And, adding:

policy:
VPN1            all             ACCEPT
VPN2            all             ACCEPT
VPN3            all             ACCEPT
But in this case, i can connect FW->VPN, but the reverse case
doesn''t work
(VPN->FW). Obiously, the communication between VPN''s
doesn''t work too.


Thanks,

http://maqui.darkbolt.net/
Linux registered user ~#363219
PGP keys avaiables at KeyServ. ID: 0x4233E9F2
Los hombres somos esclavos de la historia


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 9/14/10 8:05 AM, David López Zajara (Er_Maqui) wrote:
> Hi,
> 
> It''s my first time writing on the list, for one question:
> 
> If isn''t the correct site, please tell me and ignore message.
> 
> I have multiple shorewall configured across my networks, but i have one
> problem with one of them:
> First, include an schema:
> 
> ------------      ------------
> |          |      |          |
> |   VPN1   |      |   VPN2   |
> |          |      |          |
> ------------      ------------
>            |      |
>          ------------      ------------
>          |          |      |          |
>          |    FW    |------|   eth0   |
>          |          |      |          |
>          ------------      ------------
>            |      |
> ------------      ------------
> |          |      |          |
> |   VPN3   |      |   VPN4   |
> |          |      |          |
> ------------      ------------
> The concept are simple. I have 4 VPN connections, and one LAN on eth0.
> 
> All VPN can connect to the LAN, and the LAN can connect to the
VPN''s.
> 
> My problem are who try to send one packet from one VPN to another. The
> machines have the routes configured correctly, but the FW reject these
> packages.
> 
> My configuration are:
> 
> zones:
> PPTP    ipv4
> interfaces:
> PPTP    ppp+
> policy:
> PPTP            all             ACCEPT
> 
> But, when i try to send a ping from VPN1 to VPN2, i receive these log on
the
> FW:
> Sep 14 16:57:35 fw kernel: [12250627.652278]
> Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202
> DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
TYPE=8
> CODE=0 ID=2538 SEQ=1
> I don''t know what''s the problem but i need to allow
traffic forward between
> ppp''s interfaces. I''ve tried to declare each interface
with these config:
192.168.101.202 is not in any of your defined zones.
> 
> 
> /etc/shorewall/zones:
> 
> #ZONE           TYPE
> vpn1            ipv4
> vpn2            ipv4
> vpn3            ipv4
> 
> /etc/shorewall/interfaces:
> 
> #ZONE          INTERFACE         BROADCAST        OPTIONS
> -              ppp+
> 
> /etc/shorewall/hosts:
> 
> #ZONE          HOST(S)                   OPTIONS
> vpn1           ppp+:192.168.1.0/24
> vpn2           ppp+:192.168.2.0/24
> vpn3           ppp+:192.168.3.0/24
> 
> (Obiously changing the IP configuration)
WHY? IP addresses are not secrets!

Hiding your real addresses just slows down the solution to your problem.
As I mentioned above, 192.168.101.202 isn''t in any of your zones. That
would cause the message that you are seeing, but I suspect you just
messed up changing the addresses.
> And, adding:
> 
> policy:
> VPN1            all             ACCEPT
> VPN2            all             ACCEPT
> VPN3            all             ACCEPT
> But in this case, i can connect FW->VPN, but the reverse case
doesn''t work
> (VPN->FW).
Obiously, the communication between VPN''s doesn''t work too.

You can try adding the ''routeback'' option to each of your
entries in
/etc/shorewall/hosts. But with the information you have given us, it''s
hard to know exactly what the problem is.

If that doesn''t correct the problem, please follow the instructions at
http://www.shorewall.net/support.htm#Guidelines when posting a follow-up
report.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

Well,

My actual running configuration are these:
zones:
PPTP    ipv4
interfaces:
PPTP    ppp+
policy:
PPTP            all             ACCEPT

The hosts file are empty. I doesn''t change the ip addresses because
these
lines are from shorewall manual, i''ve tried with them. But on the
moment of
writing the mail, these config are disabled.

I''m attaching the dump.


Regards,

http://maqui.darkbolt.net/
Linux registered user ~#363219
PGP keys avaiables at KeyServ. ID: 0x4233E9F2
Los hombres somos esclavos de la historia


On Tue, Sep 14, 2010 at 17:28, Tom Eastep <teastep@shorewall.net> wrote:
>  On 9/14/10 8:05 AM, David López Zajara (Er_Maqui) wrote:
> > Hi,
> >
> > It''s my first time writing on the list, for one question:
> >
> > If isn''t the correct site, please tell me and ignore message.
> >
> > I have multiple shorewall configured across my networks, but i have
one
> > problem with one of them:
> > First, include an schema:
> >
> > ------------      ------------
> > |          |      |          |
> > |   VPN1   |      |   VPN2   |
> > |          |      |          |
> > ------------      ------------
> >            |      |
> >          ------------      ------------
> >          |          |      |          |
> >          |    FW    |------|   eth0   |
> >          |          |      |          |
> >          ------------      ------------
> >            |      |
> > ------------      ------------
> > |          |      |          |
> > |   VPN3   |      |   VPN4   |
> > |          |      |          |
> > ------------      ------------
> > The concept are simple. I have 4 VPN connections, and one LAN on eth0.
> >
> > All VPN can connect to the LAN, and the LAN can connect to the
VPN''s.
> >
> > My problem are who try to send one packet from one VPN to another. The
> > machines have the routes configured correctly, but the FW reject these
> > packages.
> >
> > My configuration are:
> >
> > zones:
> > PPTP    ipv4
> > interfaces:
> > PPTP    ppp+
> > policy:
> > PPTP            all             ACCEPT
> >
> > But, when i try to send a ping from VPN1 to VPN2, i receive these log
on
> the
> > FW:
> > Sep 14 16:57:35 fw kernel: [12250627.652278]
> > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202
> > DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP
> TYPE=8
> > CODE=0 ID=2538 SEQ=1
> > I don''t know what''s the problem but i need to allow
traffic forward
> between
> > ppp''s interfaces. I''ve tried to declare each
interface with these config:
>
> 192.168.101.202 is not in any of your defined zones.
>
> >
> >
> > /etc/shorewall/zones:
> >
> > #ZONE           TYPE
> > vpn1            ipv4
> > vpn2            ipv4
> > vpn3            ipv4
> >
> > /etc/shorewall/interfaces:
> >
> > #ZONE          INTERFACE         BROADCAST        OPTIONS
> > -              ppp+
> >
> > /etc/shorewall/hosts:
> >
> > #ZONE          HOST(S)                   OPTIONS
> > vpn1           ppp+:192.168.1.0/24
> > vpn2           ppp+:192.168.2.0/24
> > vpn3           ppp+:192.168.3.0/24
> >
> > (Obiously changing the IP configuration)
>
> WHY? IP addresses are not secrets!
>
> Hiding your real addresses just slows down the solution to your problem.
> As I mentioned above, 192.168.101.202 isn''t in any of your zones.
That
> would cause the message that you are seeing, but I suspect you just
> messed up changing the addresses.
>
> > And, adding:
> >
> > policy:
> > VPN1            all             ACCEPT
> > VPN2            all             ACCEPT
> > VPN3            all             ACCEPT
>
> > But in this case, i can connect FW->VPN, but the reverse case
doesn''t
> work
> > (VPN->FW).
>
> Obiously, the communication between VPN''s doesn''t work
too.
>
> You can try adding the ''routeback'' option to each of your
entries in
> /etc/shorewall/hosts. But with the information you have given us,
it''s
> hard to know exactly what the problem is.
>
> If that doesn''t correct the problem, please follow the
instructions at
> http://www.shorewall.net/support.htm#Guidelines when posting a follow-up
> report.
>
> Thanks,
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
------------------------------------------------------------------------------
> Start uncovering the many advantages of virtual appliances
> and start using them to simplify application deployment and
> accelerate your shift to cloud computing.
> http://p.sf.net/sfu/novell-sfdev2dev
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

Ok, setting the routeback parameter on interfaces are working fine.

My running (and OK) configuration now are:

interfaces:
PPTP    ppp+            -               routeback

Thanks for all.

http://maqui.darkbolt.net/
Linux registered user ~#363219
PGP keys avaiables at KeyServ. ID: 0x4233E9F2
Los hombres somos esclavos de la historia


On Tue, Sep 14, 2010 at 18:31, David López Zajara (Er_Maqui) <
er_maqui@darkbolt.net> wrote:
> Well,
>
> My actual running configuration are these:
>  zones:
> PPTP    ipv4
> interfaces:
> PPTP    ppp+
> policy:
> PPTP            all             ACCEPT
>
> The hosts file are empty. I doesn''t change the ip addresses
because these
> lines are from shorewall manual, i''ve tried with them. But on the
moment of
> writing the mail, these config are disabled.
>
> I''m attaching the dump.
>
>
> Regards,
>
> http://maqui.darkbolt.net/
> Linux registered user ~#363219
> PGP keys avaiables at KeyServ. ID: 0x4233E9F2
> Los hombres somos esclavos de la historia
>
>
>   On Tue, Sep 14, 2010 at 17:28, Tom Eastep <teastep@shorewall.net>
wrote:
>
>>    On 9/14/10 8:05 AM, David López Zajara (Er_Maqui) wrote:
>> > Hi,
>> >
>> > It''s my first time writing on the list, for one question:
>> >
>> > If isn''t the correct site, please tell me and ignore
message.
>> >
>> > I have multiple shorewall configured across my networks, but i
have one
>> > problem with one of them:
>> > First, include an schema:
>> >
>> > ------------      ------------
>> > |          |      |          |
>> > |   VPN1   |      |   VPN2   |
>> > |          |      |          |
>> > ------------      ------------
>> >            |      |
>> >          ------------      ------------
>> >          |          |      |          |
>> >          |    FW    |------|   eth0   |
>> >          |          |      |          |
>> >          ------------      ------------
>> >            |      |
>> > ------------      ------------
>> > |          |      |          |
>> > |   VPN3   |      |   VPN4   |
>> > |          |      |          |
>> > ------------      ------------
>> > The concept are simple. I have 4 VPN connections, and one LAN on
eth0.
>> >
>> > All VPN can connect to the LAN, and the LAN can connect to the
VPN''s.
>> >
>> > My problem are who try to send one packet from one VPN to another.
The
>> > machines have the routes configured correctly, but the FW reject
these
>> > packages.
>> >
>> > My configuration are:
>> >
>> > zones:
>> > PPTP    ipv4
>> > interfaces:
>> > PPTP    ppp+
>> > policy:
>> > PPTP            all             ACCEPT
>> >
>> > But, when i try to send a ping from VPN1 to VPN2, i receive these
log on
>> the
>> > FW:
>> > Sep 14 16:57:35 fw kernel: [12250627.652278]
>> > Shorewall:FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202
>> > DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF
PROTO=ICMP
>> TYPE=8
>> > CODE=0 ID=2538 SEQ=1
>> > I don''t know what''s the problem but i need to
allow traffic forward
>> between
>> > ppp''s interfaces. I''ve tried to declare each
interface with these
>> config:
>>
>> 192.168.101.202 is not in any of your defined zones.
>>
>> >
>> >
>> > /etc/shorewall/zones:
>> >
>> > #ZONE           TYPE
>> > vpn1            ipv4
>> > vpn2            ipv4
>> > vpn3            ipv4
>> >
>> > /etc/shorewall/interfaces:
>> >
>> > #ZONE          INTERFACE         BROADCAST        OPTIONS
>> > -              ppp+
>> >
>> > /etc/shorewall/hosts:
>> >
>> > #ZONE          HOST(S)                   OPTIONS
>> > vpn1           ppp+:192.168.1.0/24
>> > vpn2           ppp+:192.168.2.0/24
>> > vpn3           ppp+:192.168.3.0/24
>> >
>> > (Obiously changing the IP configuration)
>>
>> WHY? IP addresses are not secrets!
>>
>> Hiding your real addresses just slows down the solution to your
problem.
>> As I mentioned above, 192.168.101.202 isn''t in any of your
zones. That
>> would cause the message that you are seeing, but I suspect you just
>> messed up changing the addresses.
>>
>> > And, adding:
>> >
>> > policy:
>> > VPN1            all             ACCEPT
>> > VPN2            all             ACCEPT
>> > VPN3            all             ACCEPT
>>
>> > But in this case, i can connect FW->VPN, but the reverse case
doesn''t
>> work
>> > (VPN->FW).
>>
>> Obiously, the communication between VPN''s doesn''t
work too.
>>
>> You can try adding the ''routeback'' option to each of
your entries in
>> /etc/shorewall/hosts. But with the information you have given us,
it''s
>> hard to know exactly what the problem is.
>>
>> If that doesn''t correct the problem, please follow the
instructions at
>> http://www.shorewall.net/support.htm#Guidelines when posting a
follow-up
>> report.
>>
>> Thanks,
>> -Tom
>> --
>> Tom Eastep        \ When I die, I want to go like my Grandfather who
>> Shoreline,         \ died peacefully in his sleep. Not screaming like
>> Washington, USA     \ all of the passengers in his car
>> http://shorewall.net \________________________________________________
>>
>>
>>
>>
------------------------------------------------------------------------------
>> Start uncovering the many advantages of virtual appliances
>> and start using them to simplify application deployment and
>> accelerate your shift to cloud computing.
>> http://p.sf.net/sfu/novell-sfdev2dev
>> _______________________________________________
>> Shorewall-users mailing list
>> Shorewall-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>>
>>
>

------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev

On 09/14/2010 09:31 AM, David López Zajara (Er_Maqui)
wrote:
> Well,
> 
> My actual running configuration are these:
> zones:
> PPTP    ipv4
> interfaces:
> PPTP    ppp+
You need to add the ''routeback'' option on this entry. That
will eliminate
this problem:

Sep 14 18:28:07 FORWARD:REJECT:IN=ppp0 OUT=ppp2 SRC=192.168.101.202
DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8
CODE=0 ID=2628 SEQ=2
> policy:
> PPTP            all             ACCEPT
> 
> The hosts file are empty. I doesn''t change the ip addresses
because these
> lines are from shorewall manual, i''ve tried with them. But on the
moment of
> writing the mail, these config are disabled.
> 
> I''m attaching the dump.
That leaves these:

Sep 14 18:26:02 FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=172.16.100.11
DST=192.168.101.5 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=13082 DF PROTO=TCP
SPT=3781 DPT=3817 WINDOW=65535 RES=0x00 SYN URGP=0

192.168.101.5 is routed out of eth2 yet this packet arrived on eth2.

So 172.16.100.11 seems to think that the Shorewall box has a route to
192.168.101.5. It does but it is back out of eth2.

Your routing table:

192.168.101.204 dev ppp2  proto kernel  scope link  src 192.168.101.201
192.168.101.202 dev ppp0  proto kernel  scope link  src 192.168.101.201
80.16.220.192/28 dev eth0  proto kernel  scope link  src 80.16.220.200
192.168.100.0/24 dev ppp2  scope link
192.168.101.0/24 dev eth2  proto kernel  scope link  src 192.168.101.200
<=192.168.102.0/24 dev eth3  proto kernel  scope link  src 192.168.102.200
192.168.0.0/24 dev ppp0  scope link
172.16.100.0/22 dev eth2  proto kernel  scope link  src 172.16.100.200
default via 80.16.220.198 dev eth0

So if you really want that to work, you need ''routeback'' on
eth2 as well.

-Tom


-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Start uncovering the many advantages of virtual appliances
and start using them to simplify application deployment and
accelerate your shift to cloud computing.
http://p.sf.net/sfu/novell-sfdev2dev