Hi, I am trying to get L2TP roadwarrior VPN working from http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP but i am making a mistake somewhere, appreciate a fresh set of eyes to help. I have the following interfaces: ppp0 - interneteth0 - local networkrem - client openvpnl2tp - ppp for lt2p clients I am getting the following error logged when trying to connect into the server with L2TP from a remote machine (203.111.228.2). Jan 19 16:20:21 router kernel: [114176.615448] Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=203.111.228.2 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=107 ID=15353 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 I have attached a dump file. Greatly appreciate the help. Thanks, Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 01/19/2012 08:17 AM, Chris Morley wrote:> Hi, I am trying to get L2TP roadwarrior VPN working from > http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP but i am making a > mistake somewhere, appreciate a fresh set of eyes to help. > > I have the following interfaces: > > ppp0 - internet > eth0 - local network > rem - client openvpn > l2tp - ppp for lt2p clients > > I am getting the following error logged when trying to connect into the > server with L2TP from a remote machine (203.111.228.2). > > Jan 19 16:20:21 router kernel: [114176.615448] > Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=203.111.228.2 DST=2.49.2.193 > LEN=412 TOS=0x00 PREC=0x00 TTL=107 ID=15353 PROTO=UDP SPT=500 DPT=500 > LEN=392 MARK=0x100 > > I have attached a dump file. Greatly appreciate the help.Chris, It looks like you overlooked the fact that the L2TP section is a continuation of the previous section. So you must first configure Shorewall as described in that earlier section before adding the L2TP settings. From the messages you are seeing, it looks like you don''t have ipsec* entries in /etc/shorewall/tunnels. Hope this helps. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
> From the messages you are seeing, it looks like you don''t have ipsec* > entries in /etc/shorewall/tunnels.Hi Tom, Thanks for the reply. I have added the tunnels to now show: #TYPE ZONE GATEWAY GATEWAY ZONEipsec net 0.0.0.0/0 vpn Also by changing the zones file from: fw firewall vpn ipsec l2tp ipv4 ukvpn ipv4 net ipv4 loc ipv4 To the following: vpn ipsec l2tp ipv4 ukvpn ipv4fw firewall net ipv4 loc ipv4 An internal machine can now connect OK and get assigned an IP address via L2TP, this order does seem to effect things. So i know the VPN is working even with the firewall rules enabled for internal clients, just not for external clients. For external clients, i am still seeing similair bounce messages: Jan 19 22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 As a hack, I then tried adding a policy: l2tp fw ACCEPT Although the REJECT messages were no longer shown in the log, the VPN still timed out for the external users. So I then removed this line again. Now my policy just shows: fw all ACCEPT loc fw ACCEPT loc net ACCEPT# policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPT loc vpn ACCEPT vpn loc ACCEPT vpn fw ACCEPTnet all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Since I have made some changes I have re-dumped the status for this config. Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours tonight no dice i must be doing something silly just cant see it. Hopefully fresh mind tomorrow will help! Regards, Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Hi just to say I think I may have spotted the issue will advise tomorrow. Please disregard previous post for now. Thanks, Chris Sent from Samsung Galaxy Note -------- Original message -------- Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN From: Chris Morley <g18c@hotmail.com> To: shorewall-users@lists.sourceforge.net CC:> From the messages you are seeing, it looks like you don''t have ipsec* > entries in /etc/shorewall/tunnels.Hi Tom, Thanks for the reply. I have added the tunnels to now show: #TYPE ZONE GATEWAY GATEWAY ZONEipsec net 0.0.0.0/0 vpn Also by changing the zones file from: fw firewall vpn ipsec l2tp ipv4 ukvpn ipv4 net ipv4 loc ipv4 To the following: vpn ipsec l2tp ipv4 ukvpn ipv4fw firewall net ipv4 loc ipv4 An internal machine can now connect OK and get assigned an IP address via L2TP, this order does seem to effect things. So i know the VPN is working even with the firewall rules enabled for internal clients, just not for external clients. For external clients, i am still seeing similair bounce messages: Jan 19 22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 As a hack, I then tried adding a policy: l2tp fw ACCEPT Although the REJECT messages were no longer shown in the log, the VPN still timed out for the external users. So I then removed this line again. Now my policy just shows: fw all ACCEPT loc fw ACCEPT loc net ACCEPT# policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPT loc vpn ACCEPT vpn loc ACCEPT vpn fw ACCEPTnet all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Since I have made some changes I have re-dumped the status for this config. Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours tonight no dice i must be doing something silly just cant see it. Hopefully fresh mind tomorrow will help! Regards, Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
Thanks for the reply Tom. Although i can connect internally to the L2TP server running on the firewall, all external attempts do not work. I have checked and double checked the procedure as below: 1) vpn added to zones: #ZONE TYPE vpn ipsec l2tp ipv4 net ipv4 loc ipv4 fw firewall 2) interfaces specified: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,tcpflags,nosmurfs,logmartians loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians l2tp ppp+ - 3) ipsec specified in tunnels: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 0.0.0.0/0 vpn 4) vpn zone defined in hosts #ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0 5) Policy set: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW all ACCEPT loc $FW ACCEPT loc net ACCEPT # policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPTloc vpn ACCEPT vpn loc ACCEPT vpn $FW ACCEPT # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE 6) rules set:#ACTION SOURCE DEST PROTO DNS(ACCEPT) $FW net SSH(ACCEPT) loc $FW Ping(ACCEPT) loc $FW L2TP(REJECT) net $FW REJECT $FW net udp - 1701 ACCEPT vpn $FW udp 1701 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE I must have messed up somewhere as now i see lots of log messages: 1.6.160 LEN=134 TOS=0x02 PREC=0x00 TTL=109 ID=16558 PROTO=UDP SPT=1116 DPT=6881 LEN=114 MARK=0x100 Jan 20 20:36:49 router kernel: [39805.141804] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=121.54.58.135 DST=2.51.6.160 LEN=58 TOS=0x00 PREC=0x00 TTL=103 ID=64768 PROTO=UDP SPT=27560 DPT=6881 LEN=38 MARK=0x100 This l2tp2fw chain is blocking Peer-to-Peer traffic and i dont understand why (would have though it should fall through to default deny policy). If anyone would be kind enough to advise what i can try next or what i have done wrong above, it would be much appreciated. Shorewall dump attached for reference. Thanks for the help, Chris Date: Fri, 20 Jan 2012 03:12:15 +0400 From: g18c@hotmail.com To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN Hi just to say I think I may have spotted the issue will advise tomorrow. Please disregard previous post for now. Thanks, Chris Sent from Samsung Galaxy Note -------- Original message -------- Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN From: Chris Morley <g18c@hotmail.com> To: shorewall-users@lists.sourceforge.net CC:> From the messages you are seeing, it looks like you don''t have ipsec*> entries in /etc/shorewall/tunnels.Hi Tom, Thanks for the reply. I have added the tunnels to now show: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 0.0.0.0/0 vpn Also by changing the zones file from: fw firewall vpn ipsec l2tp ipv4 ukvpn ipv4 net ipv4 loc ipv4 To the following: vpn ipsec l2tp ipv4 ukvpn ipv4 fw firewall net ipv4 loc ipv4 An internal machine can now connect OK and get assigned an IP address via L2TP, this order does seem to effect things. So i know the VPN is working even with the firewall rules enabled for internal clients, just not for external clients. For external clients, i am still seeing similair bounce messages: Jan 19 22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 As a hack, I then tried adding a policy: l2tp fw ACCEPT Although the REJECT messages were no longer shown in the log, the VPN still timed out for the external users. So I then removed this line again. Now my policy just shows: fw all ACCEPT loc fw ACCEPT loc net ACCEPT # policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPT loc vpn ACCEPT vpn loc ACCEPT vpn fw ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Since I have made some changes I have re-dumped the status for this config. Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours tonight no dice i must be doing something silly just cant see it. Hopefully fresh mind tomorrow will help! Regards, Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
On 01/20/2012 12:35 PM, Chris Morley wrote:> Thanks for the reply Tom. > > Although i can connect internally to the L2TP server running on the > firewall, all external attempts do not work. I have checked and double > checked the procedure as below: > > 1) vpn added to zones: > #ZONE TYPE > vpn ipsec > l2tp ipv4 > net ipv4 > loc ipv4 > fw firewall > > 2) interfaces specified: > #ZONE INTERFACE BROADCAST OPTIONS > net ppp0 - dhcp,tcpflags,nosmurfs,logmartians > loc eth0 detect > dhcp,tcpflags,nosmurfs,routefilter,logmartians > l2tp ppp+ - >With those definitions, the ''net'' zone is a sub-zone of the ''l2tp'' zone; but ''l2tp'' is listed first which means that l2tp''s rules get applied to traffic entering ppp0 rather than net''s. Reverse the order of the zones declarations and see if things don''t improve. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d