Hi, I''m currently adding an ISP to an existing shorewall IPSec box. With 1 ISP, everything is fine. I ended with a config with which the VPN stops working (not even trying to establish a cnx). Do you have any clue about it ? Commenting the 2nd ISP in /etc/shorewall/providers restores normal operation. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 15:35 +0200, Laurent CARON wrote:> Hi, > > I''m currently adding an ISP to an existing shorewall IPSec box. > > With 1 ISP, everything is fine. > > I ended with a config with which the VPN stops working (not even trying > to establish a cnx). > > Do you have any clue about it ? >Have you ensured that the VPN continues to use the original interface? It must because the tunnel end-point IP addresses are referenced in the SPDs on both systems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On 29/06/2011 16:05, Tom Eastep wrote:> Have you ensured that the VPN continues to use the original interface? > It must because the tunnel end-point IP addresses are referenced in the > SPDs on both systems.Whenever I restart shorewall (while VPN is running) to add second ISP, I continue to receive ESP from the remote side, but local openswan stops sending to the remote peer. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 16:38 +0200, Laurent CARON wrote:> On 29/06/2011 16:05, Tom Eastep wrote: > > Have you ensured that the VPN continues to use the original interface? > > It must because the tunnel end-point IP addresses are referenced in the > > SPDs on both systems. > > > Whenever I restart shorewall (while VPN is running) to add second ISP, I > continue to receive ESP from the remote side, but local openswan stops > sending to the remote peer.The two dumps have totally different IPSEC configurations. In the 1-ISP dump, IPSEC is configured to tunnel 192.168.17.0/24 <=> 192.168.0.0/24 using a tunnel between 213.215.28.11 and 213.215.22.162. In the 2-ISP dump, IPSEC is configured to use *transport mode* and in one direction only - from 192.168.17.0/24 => 192.168.0.0/24. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep <teastep@shorewall.net> a écrit : On Wed, 2011-06-29 at 16:38 +0200, Laurent CARON wrote:> On 29/06/2011 16:05, Tom Eastep wrote: > > Have you ensured that the VPN continues to use the original interface? > > It must because the tunnel end-point IP addresses are referenced in the > > SPDs on both systems. > > > Whenever I restart shorewall (while VPN is running) to add second ISP, I > continue to receive ESP from the remote side, but local openswan stops > sending to the remote peer.The two dumps have totally different IPSEC configurations. In the 1-ISP dump, IPSEC is configured to tunnel 192.168.17.0/24 <=> 192.168.0.0/24 using a tunnel between 213.215.28.11 and 213.215.22.162. In the 2-ISP dump, IPSEC is configured to use *transport mode* and in one direction only - from 192.168.17.0/24 => 192.168.0.0/24. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \_____________________________________________ _____________________________________________ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2_____________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users The config is exactly the same however. Just with 2 isps it stays stuck. -- Envoyé de mon téléphone. Excusez la brièveté. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 20:39 +0200, Laurent Caron (Phone) wrote:> > The config is exactly the same however. > Just with 2 isps it stays stuck.Shorewall does not change the ipset configuration. It simply reports it via ''setkey -D'' and ''setkey -DP''. The output from ''setkey -DP'' (which dumps the IPSEC policy database) is completely different in the two dumps. So something else is changing that has nothing to do with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Tom Eastep <teastep@shorewall.net> a écrit : On Wed, 2011-06-29 at 20:39 +0200, Laurent Caron (Phone) wrote:> > The config is exactly the same however. > Just with 2 isps it stays stuck.Shorewall does not change the ipset configuration. It simply reports it via ''setkey -D'' and ''setkey -DP''. The output from ''setkey -DP'' (which dumps the IPSEC policy database) is completely different in the two dumps. So something else is changing that has nothing to do with Shorewall. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \_____________________________________________ _____________________________________________ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2_____________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users So it might be an openswan bug when dealing with multiple default routes? -- Envoyé de mon téléphone. Excusez la brièveté. ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 21:19 +0200, Laurent Caron (Phone) wrote:> > So it might be an openswan bug when dealing with multiple default > routes?It very much looks like you are using different OpenSwan configurations as well as different Shorewall configurations. Are you restarting OpenSWan as well as Shorewall? A couple of things that I notice: a) You are running kernel 2.6.39 which is very bleeding edge. b) The output of ''ip route ls'' looks like none I''ve ever seen before; it is unsorted. In my experience, it has always been sorted from most specific to most general which puts default routes at the end of the listing. I know of at least one Shorewall user who uses OpenSwan extensively with multiple default routes; he has reported no issues such as yours. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, Jun 29, 2011 at 12:34:02PM -0700, Tom Eastep wrote:> It very much looks like you are using different OpenSwan configurations > as well as different Shorewall configurations. Are you restarting > OpenSWan as well as Shorewall?Yep,> A couple of things that I notice: > > a) You are running kernel 2.6.39 which is very bleeding edge. > b) The output of ''ip route ls'' looks like none I''ve ever seen before; > it is unsorted. In my experience, it has always been sorted from > most specific to most general which puts default routes at the end of > the listing.I''m using: iproute 20100519-3 shorewall 4.4.11.6-3 openswan 1:2.6.28+dfsg-5> I know of at least one Shorewall user who uses OpenSwan extensively with > multiple default routes; he has reported no issues such as yours.Tom, I''m sorry to insist but I did the following which leads to make me think shorewall is doing domething (most probably because of my config?). Having a single default route: Shorewall stopped or started openswan works fine Having a multiple default route (set up by shorewall) Shorewall stopped, the tunnel connection is fine Shorewall started, i can''t reach the remote end ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 21:55 +0200, Laurent CARON wrote:> On Wed, Jun 29, 2011 at 12:34:02PM -0700, Tom Eastep wrote: > > It very much looks like you are using different OpenSwan configurations > > as well as different Shorewall configurations. Are you restarting > > OpenSWan as well as Shorewall? > > Yep, >> > > I know of at least one Shorewall user who uses OpenSwan extensively with > > multiple default routes; he has reported no issues such as yours. > > Tom, I''m sorry to insist but I did the following which leads to make me > think shorewall is doing domething (most probably because of my > config?). > > Having a single default route: > Shorewall stopped or started openswan works fine > > Having a multiple default route (set up by shorewall) > Shorewall stopped, the tunnel connection is fine > Shorewall started, i can''t reach the remote endWell, Shorewall, by itself, is not causing the IPSEC configuration to change totally. Please try switching Shorewall configurations *without* restarting OpenSwan. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
Michael Weickel - iQom Business Services GmbH
2011-Jun-29 20:07 UTC
Re: IPsec + Multi ISP not working
> Having a multiple default route (set up by shorewall) > Shorewall stopped, the tunnel connection is fine > Shorewall started, i can''t reach the remote endUnfortunately I read only the last few e-mails and somehow missed the way how your route is shown in table which points to the remote site. Can you show it to me please? I dont think its shorewall as well. I habe approx 10 shorewall gates with versions from 3.xx to 4.xx and on each I have approx 30 up to 200 default routes with vlan and alternative table support. I use openswan as well on each machine and the gameplay between those two applications is just perfect! The only difference in our setup is, that routing is setup by customized scripts instead of shorewall. So show me your route maybe I can find something. -----Ursprüngliche Nachricht----- Von: Laurent CARON [mailto:lcaron@unix-scripts.info] Gesendet: Mittwoch, 29. Juni 2011 21:56 An: Shorewall Users Betreff: Re: [Shorewall-users] IPsec + Multi ISP not working On Wed, Jun 29, 2011 at 12:34:02PM -0700, Tom Eastep wrote:> It very much looks like you are using different OpenSwan configurations > as well as different Shorewall configurations. Are you restarting > OpenSWan as well as Shorewall?Yep,> A couple of things that I notice: > > a) You are running kernel 2.6.39 which is very bleeding edge. > b) The output of ''ip route ls'' looks like none I''ve ever seen before; > it is unsorted. In my experience, it has always been sorted from > most specific to most general which puts default routes at the end of > the listing.I''m using: iproute 20100519-3 shorewall 4.4.11.6-3 openswan 1:2.6.28+dfsg-5> I know of at least one Shorewall user who uses OpenSwan extensively with > multiple default routes; he has reported no issues such as yours.Tom, I''m sorry to insist but I did the following which leads to make me think shorewall is doing domething (most probably because of my config?). Having a single default route: Shorewall stopped or started openswan works fine Having a multiple default route (set up by shorewall) Shorewall stopped, the tunnel connection is fine Shorewall started, i can''t reach the remote end ---------------------------------------------------------------------------- -- All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, Jun 29, 2011 at 01:06:25PM -0700, Tom Eastep wrote:> Well, Shorewall, by itself, is not causing the IPSEC configuration to > change totally. Please try switching Shorewall configurations *without* > restarting OpenSwan.I have openswan started and working (shorewall stopped). I start shorewall with only 1 isp in config => openswan ok I stop shorewall => openswan still ok I start shorewall with 2 isp in config => openswan not ok ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
On Wed, 2011-06-29 at 22:09 +0200, Laurent CARON wrote:> On Wed, Jun 29, 2011 at 01:06:25PM -0700, Tom Eastep wrote: > > Well, Shorewall, by itself, is not causing the IPSEC configuration to > > change totally. Please try switching Shorewall configurations *without* > > restarting OpenSwan. > > I have openswan started and working (shorewall stopped). > I start shorewall with only 1 isp in config => openswan ok > I stop shorewall => openswan still ok > I start shorewall with 2 isp in config => openswan not okThen I need another pair of dumps. Because the IPSEC configuration is definitely different in the two you sent my and I know of no way that ''shorewall restart'' can cause that. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2