Brandon Slack
2012-Oct-24 15:17 UTC
IPSEC/L2TP Local and External Internet Access at same time through two interfaces?
Hey First, apologies if this went out twice. I sent the original email from an odd email configuration (essentially from an alias of what I signed up as). I searched and noticed that my post did not appear and I did not get a bounce back so I was confused. I waited a few days before resending. So apologies if this goes out twice. I am not trying to spam. I was hoping someone could help me with L2TP/IPSEC routing issues. I have a fairly typical setup in which I have a server with eth0 (local traffic) and eth1 (external/internet traffic). I also have a VPN with OpenSwan/xl2tpd/ppp. I want users that log into the system to be able to use both eth0 and eth1. E.g. local internal sites are available, as is the internet. Thus far, my success has been either granting access to the local intranet, or the external internet, but not actually both at the same time. Could someone help give me some guidance. I have read the docs and previous mailing lists that I could find on this first. Below is my configuration, and I have attached the shorewall dump. The below configuration allows users to access the local intranet. To enable external internet access, I add a ''masq'' file as seen below and two DNAT rules (also shown below commented out), unfortunately this kills my local intranet access when connected so its disabled for now. Can anyone point me in the right direction for having both internal intranet and external internet working when connected via my L2TP VPN? Thanks for any hints or pointers (the dump is also attached) # masq ############################################################################################# #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ # GROUP #eth1 192.168.0.0/24 # uncomment for external network access (kills internal local intranet access) - also uncomment rules for dnat # HOSTS ############################################################################### #ZONE HOST(S) OPTIONS vpn eth1:0.0.0.0/0 # Interfaces ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS loc eth0 detect tcpflags net eth1 detect norfc1918,logmartians,nosmurfs,tcpflags l2tp ppp+ detect routeback # Policy ############################################################################### #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK fw all ACCEPT loc fw ACCEPT loc net ACCEPT # policy for inbound L2TP Zone # policy for inbound L2TP Zone loc l2tp ACCEPT # allows local machines to connect (good for testing purposes) l2tp loc ACCEPT # allows for going back to local (yay for internet when VPN connected) l2tp net ACCEPT debug # allow connected people to get to internet l2tp fw ACCEPT debug net all DROP info all all REJECT info # Rules #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED #SECTION NEW ACCEPT net fw tcp ssh,ftp,sftp,www,https ACCEPT loc fw tcp ssh,ftp,sftp,www,https ACCEPT loc fw tcp 3000 ACCEPT loc fw udp 69 ACCEPT loc fw udp 514 # Prevent IPSEC bypass by hosts behind NAT Gateway # and block 1701 to prevent tunnel from being open to internet L2TP(REJECT) net $FW REJECT $FW net udp - 1701 ACCEPT vpn fw udp 1701 ACCEPT l2tp fw tcp ssh,ftp,sftp,www,https # uncomment below and masa file to enable external network access #DNAT net vpn:206.214.243.203 udp 4500 #DNAT net vpn:206.214.243.203 udp 500 # Tunnels ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE #ipsec net 0.0.0.0/0 vpn ipsecnat net 0.0.0.0/0 vpn # Zones ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 loc ipv4 l2tp ipv4 vpn ipsec Here are some logs with the above configuration. Traffic appears to be going out Oct 22 14:24:35 YYZUNIX kernel: [1832699.820268] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=1218 DF PROTO=TCP SPT=59275 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832699.820280] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=6067 DF PROTO=TCP SPT=59277 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832699.820292] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=54514 DF PROTO=TCP SPT=59276 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832699.920148] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.34.90 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=27607 DF PROTO=TCP SPT=59282 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832699.920162] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.232.114 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37034 DF PROTO=TCP SPT=59281 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832700.122307] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.34.34 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=55267 DF PROTO=TCP SPT=59285 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX kernel: [1832700.122321] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.232.188 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=28037 DF PROTO=TCP SPT=59284 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 Oct 22 14:24:35 YYZUNIX xl2 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Brandon Slack
2012-Oct-26 18:39 UTC
Re: IPSEC/L2TP Local and External Internet Access at same time through two interfaces?
Hey I think I managed to figure out my issue. I included the masa, removed the DNAT entries from the rules list and then determined that internal + external worked at the IP level. The remaining issue was DNS based so I pointed the dns servers in the config files to point to the internal one first. That seems to have solved my issue. I am not sure if its the most optimal solution or not, but I got something working. Sorry for the noise. Brandon Slack On 2012-10-24, at 11:17 AM, Brandon Slack <brandons@newyyz.com> wrote:> Hey > > First, apologies if this went out twice. I sent the original email from an odd email configuration (essentially from an alias of what I signed up as). I searched and noticed that my post did not appear and I did not get a bounce back so I was confused. I waited a few days before resending. So apologies if this goes out twice. I am not trying to spam. > > I was hoping someone could help me with L2TP/IPSEC routing issues. I have a fairly typical setup in which I have a server with eth0 (local traffic) and eth1 (external/internet traffic). I also have a VPN with OpenSwan/xl2tpd/ppp. I want users that log into the system to be able to use both eth0 and eth1. E.g. local internal sites are available, as is the internet. Thus far, my success has been either granting access to the local intranet, or the external internet, but not actually both at the same time. Could someone help give me some guidance. I have read the docs and previous mailing lists that I could find on this first. Below is my configuration, and I have attached the shorewall dump. > > The below configuration allows users to access the local intranet. To enable external internet access, I add a ''masq'' file as seen below and two DNAT rules (also shown below commented out), unfortunately this kills my local intranet access when connected so its disabled for now. Can anyone point me in the right direction for having both internal intranet and external internet working when connected via my L2TP VPN? > > Thanks for any hints or pointers (the dump is also attached) > > # masq > ############################################################################################# > #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ > # GROUP > #eth1 192.168.0.0/24 # uncomment for external network access (kills internal local intranet access) - also uncomment rules for dnat > > > # HOSTS > ############################################################################### > #ZONE HOST(S) OPTIONS > vpn eth1:0.0.0.0/0 > > # Interfaces > ############################################################################### > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect tcpflags > net eth1 detect norfc1918,logmartians,nosmurfs,tcpflags > l2tp ppp+ detect routeback > > # Policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > fw all ACCEPT > loc fw ACCEPT > loc net ACCEPT # policy for inbound L2TP Zone > > # policy for inbound L2TP Zone > loc l2tp ACCEPT # allows local machines to connect (good for testing purposes) > l2tp loc ACCEPT # allows for going back to local (yay for internet when VPN connected) > l2tp net ACCEPT debug # allow connected people to get to internet > l2tp fw ACCEPT debug > > net all DROP info > all all REJECT info > > > # Rules > #################################################################################################################################################################### > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS > # PORT PORT(S) DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > #SECTION NEW > > ACCEPT net fw tcp ssh,ftp,sftp,www,https > ACCEPT loc fw tcp ssh,ftp,sftp,www,https > ACCEPT loc fw tcp 3000 > ACCEPT loc fw udp 69 > ACCEPT loc fw udp 514 > > # Prevent IPSEC bypass by hosts behind NAT Gateway > # and block 1701 to prevent tunnel from being open to internet > L2TP(REJECT) net $FW > REJECT $FW net udp - 1701 > ACCEPT vpn fw udp 1701 > ACCEPT l2tp fw tcp ssh,ftp,sftp,www,https > > # uncomment below and masa file to enable external network access > #DNAT net vpn:206.214.243.203 udp 4500 > #DNAT net vpn:206.214.243.203 udp 500 > > # Tunnels > ############################################################################### > #TYPE ZONE GATEWAY GATEWAY > # ZONE > #ipsec net 0.0.0.0/0 vpn > ipsecnat net 0.0.0.0/0 vpn > > # Zones > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > l2tp ipv4 > vpn ipsec > > > Here are some logs with the above configuration. Traffic appears to be going out > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820268] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=1218 DF PROTO=TCP SPT=59275 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820280] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=6067 DF PROTO=TCP SPT=59277 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820292] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=54514 DF PROTO=TCP SPT=59276 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.920148] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.34.90 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=27607 DF PROTO=TCP SPT=59282 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.920162] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.232.114 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37034 DF PROTO=TCP SPT=59281 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832700.122307] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.34.34 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=55267 DF PROTO=TCP SPT=59285 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832700.122321] Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 DST=17.172.232.188 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=28037 DF PROTO=TCP SPT=59284 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX xl2 > > > <Dump.txt>------------------------------------------------------------------------------ The Windows 8 Center In partnership with Sourceforge Your idea - your app - 30 days. Get started! http://windows8center.sourceforge.net/ what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/