Shorewall users - Oct 2012 - IPSEC/L2TP Local and External Internet Access at same time through two interfaces?

Hey

First, apologies if this went out twice. I sent the original email from an odd
email configuration (essentially from an alias of what I signed up as). I
searched and noticed that my post did not appear and I did not get a bounce back
so I was confused. I waited a few days before resending. So apologies if this
goes out twice. I am not trying to spam.

I was hoping someone could help me with L2TP/IPSEC routing issues. I have a
fairly typical setup in which I have a server with eth0 (local traffic) and eth1
(external/internet traffic). I also have a VPN with OpenSwan/xl2tpd/ppp. I want
users that log into the system to be able to use both eth0 and eth1. E.g. local
internal sites are available, as is the internet. Thus far, my success has been
either granting access to the local intranet, or the external internet, but not
actually both at the same time. Could someone help give me some guidance. I have
read the docs and previous mailing lists that I could find on this first. Below
is my configuration, and I have attached the shorewall dump.

The below configuration allows users to access the local intranet. To enable
external internet access, I add a ''masq'' file as seen below
and two DNAT rules (also shown below commented out), unfortunately this kills my
local intranet access when connected so its disabled for now. Can anyone point
me in the right direction for having both internal intranet and external
internet working when connected via my L2TP VPN?

Thanks for any hints or pointers (the dump is also attached)

# masq 
#############################################################################################
#INTERFACE:DEST   SOURCE    ADDRESS   PROTO PORT(S) IPSEC MARK  USER/
#                     GROUP
#eth1              192.168.0.0/24 # uncomment for external network access (kills
internal local intranet access) - also uncomment rules for dnat


# HOSTS
###############################################################################
#ZONE HOST(S)         OPTIONS
vpn   eth1:0.0.0.0/0

# Interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
loc eth0    detect    tcpflags
net eth1    detect    norfc1918,logmartians,nosmurfs,tcpflags
l2tp  ppp+  detect    routeback

# Policy
###############################################################################
#SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
#       LEVEL BURST   MASK
fw  all   ACCEPT
loc fw    ACCEPT
loc net   ACCEPT    # policy for inbound L2TP Zone

# policy for inbound L2TP Zone
loc   l2tp  ACCEPT  # allows local machines to connect (good for testing
purposes)
l2tp  loc   ACCEPT  # allows for going back to local (yay for internet when VPN
connected)
l2tp  net   ACCEPT  debug # allow connected people to get to internet
l2tp  fw    ACCEPT  debug

net all DROP      info
all all REJECT    info


# Rules
####################################################################################################################################################################
#ACTION   SOURCE    DEST    PROTO DEST  SOURCE    ORIGINAL  RATE    USER/ MARK 
CONNLIMIT TIME         HEADERS
#             PORT  PORT(S)   DEST    LIMIT   GROUP
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION NEW

ACCEPT    net   fw    tcp ssh,ftp,sftp,www,https
ACCEPT    loc   fw    tcp ssh,ftp,sftp,www,https
ACCEPT    loc   fw    tcp 3000
ACCEPT    loc   fw    udp 69
ACCEPT    loc   fw    udp 514

# Prevent IPSEC bypass by hosts behind NAT Gateway
# and block 1701 to prevent tunnel from being open to internet 
L2TP(REJECT)  net $FW
REJECT    $FW   net   udp -   1701
ACCEPT    vpn   fw    udp 1701
ACCEPT    l2tp  fw    tcp ssh,ftp,sftp,www,https

# uncomment below and masa file to enable external network access
#DNAT     net vpn:206.214.243.203       udp     4500
#DNAT      net vpn:206.214.243.203       udp      500

# Tunnels
###############################################################################
#TYPE     ZONE  GATEWAY   GATEWAY
#           ZONE
#ipsec      net   0.0.0.0/0   vpn
ipsecnat  net   0.0.0.0/0   vpn

# Zones
###############################################################################
#ZONE TYPE    OPTIONS   IN      OUT
#         OPTIONS     OPTIONS
fw  firewall
net ipv4
loc ipv4
l2tp ipv4
vpn ipsec


Here are some logs with the above configuration. Traffic appears to be going out
Oct 22 14:24:35 YYZUNIX kernel: [1832699.820268]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=1218 DF PROTO=TCP
SPT=59275 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832699.820280]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=6067 DF PROTO=TCP
SPT=59277 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832699.820292]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=54514 DF PROTO=TCP
SPT=59276 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832699.920148]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.34.90 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=27607 DF PROTO=TCP
SPT=59282 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832699.920162]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.232.114 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37034 DF PROTO=TCP
SPT=59281 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832700.122307]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.34.34 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=55267 DF PROTO=TCP
SPT=59285 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX kernel: [1832700.122321]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.232.188 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=28037 DF PROTO=TCP
SPT=59284 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 22 14:24:35 YYZUNIX xl2




------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

Hey

I think I managed to figure out my issue. I included the masa, removed the DNAT
entries from the rules list and then determined that internal + external worked
at the IP level. The remaining issue was DNS based so I pointed the dns servers
in the config files to point to the internal one first. That seems to have
solved my issue. I am not sure if its the most optimal solution or not, but I
got something working.

Sorry for the noise.

Brandon Slack

On 2012-10-24, at 11:17 AM, Brandon Slack <brandons@newyyz.com> wrote:
> Hey
> 
> First, apologies if this went out twice. I sent the original email from an
odd email configuration (essentially from an alias of what I signed up as). I
searched and noticed that my post did not appear and I did not get a bounce back
so I was confused. I waited a few days before resending. So apologies if this
goes out twice. I am not trying to spam.
> 
> I was hoping someone could help me with L2TP/IPSEC routing issues. I have a
fairly typical setup in which I have a server with eth0 (local traffic) and eth1
(external/internet traffic). I also have a VPN with OpenSwan/xl2tpd/ppp. I want
users that log into the system to be able to use both eth0 and eth1. E.g. local
internal sites are available, as is the internet. Thus far, my success has been
either granting access to the local intranet, or the external internet, but not
actually both at the same time. Could someone help give me some guidance. I have
read the docs and previous mailing lists that I could find on this first. Below
is my configuration, and I have attached the shorewall dump.
> 
> The below configuration allows users to access the local intranet. To
enable external internet access, I add a ''masq'' file as seen
below and two DNAT rules (also shown below commented out), unfortunately this
kills my local intranet access when connected so its disabled for now. Can
anyone point me in the right direction for having both internal intranet and
external internet working when connected via my L2TP VPN?
> 
> Thanks for any hints or pointers (the dump is also attached)
> 
> # masq 
>
#############################################################################################
> #INTERFACE:DEST   SOURCE    ADDRESS   PROTO PORT(S) IPSEC MARK  USER/
> #                     GROUP
> #eth1              192.168.0.0/24 # uncomment for external network access
(kills internal local intranet access) - also uncomment rules for dnat
> 
> 
> # HOSTS
>
###############################################################################
> #ZONE HOST(S)         OPTIONS
> vpn   eth1:0.0.0.0/0
> 
> # Interfaces
>
###############################################################################
> #ZONE INTERFACE BROADCAST OPTIONS
> loc eth0    detect    tcpflags
> net eth1    detect    norfc1918,logmartians,nosmurfs,tcpflags
> l2tp  ppp+  detect    routeback
> 
> # Policy
>
###############################################################################
> #SOURCE DEST  POLICY    LOG LIMIT:    CONNLIMIT:
> #       LEVEL BURST   MASK
> fw  all   ACCEPT
> loc fw    ACCEPT
> loc net   ACCEPT    # policy for inbound L2TP Zone
> 
> # policy for inbound L2TP Zone
> loc   l2tp  ACCEPT  # allows local machines to connect (good for testing
purposes)
> l2tp  loc   ACCEPT  # allows for going back to local (yay for internet when
VPN connected)
> l2tp  net   ACCEPT  debug # allow connected people to get to internet
> l2tp  fw    ACCEPT  debug
> 
> net all DROP      info
> all all REJECT    info
> 
> 
> # Rules
>
####################################################################################################################################################################
> #ACTION   SOURCE    DEST    PROTO DEST  SOURCE    ORIGINAL  RATE    USER/
MARK  CONNLIMIT TIME         HEADERS
> #             PORT  PORT(S)   DEST    LIMIT   GROUP
> #SECTION ESTABLISHED
> #SECTION RELATED
> #SECTION NEW
> 
> ACCEPT    net   fw    tcp ssh,ftp,sftp,www,https
> ACCEPT    loc   fw    tcp ssh,ftp,sftp,www,https
> ACCEPT    loc   fw    tcp 3000
> ACCEPT    loc   fw    udp 69
> ACCEPT    loc   fw    udp 514
> 
> # Prevent IPSEC bypass by hosts behind NAT Gateway
> # and block 1701 to prevent tunnel from being open to internet 
> L2TP(REJECT)  net $FW
> REJECT    $FW   net   udp -   1701
> ACCEPT    vpn   fw    udp 1701
> ACCEPT    l2tp  fw    tcp ssh,ftp,sftp,www,https
> 
> # uncomment below and masa file to enable external network access
> #DNAT     net vpn:206.214.243.203       udp     4500
> #DNAT      net vpn:206.214.243.203       udp      500
> 
> # Tunnels
>
###############################################################################
> #TYPE     ZONE  GATEWAY   GATEWAY
> #           ZONE
> #ipsec      net   0.0.0.0/0   vpn
> ipsecnat  net   0.0.0.0/0   vpn
> 
> # Zones
>
###############################################################################
> #ZONE TYPE    OPTIONS   IN      OUT
> #         OPTIONS     OPTIONS
> fw  firewall
> net ipv4
> loc ipv4
> l2tp ipv4
> vpn ipsec
> 
> 
> Here are some logs with the above configuration. Traffic appears to be
going out
> Oct 22 14:24:35 YYZUNIX kernel: [1832699.820268]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=1218 DF PROTO=TCP
SPT=59275 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832699.820280]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=6067 DF PROTO=TCP
SPT=59277 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832699.820292]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=54514 DF PROTO=TCP
SPT=59276 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832699.920148]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.34.90 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=27607 DF PROTO=TCP
SPT=59282 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832699.920162]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.232.114 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37034 DF PROTO=TCP
SPT=59281 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832700.122307]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.34.34 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=55267 DF PROTO=TCP
SPT=59285 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX kernel: [1832700.122321]
Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230
DST=17.172.232.188 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=28037 DF PROTO=TCP
SPT=59284 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 22 14:24:35 YYZUNIX xl2
> 
> 
> <Dump.txt>

------------------------------------------------------------------------------
The Windows 8 Center 
In partnership with Sourceforge
Your idea - your app - 30 days. Get started!
http://windows8center.sourceforge.net/
what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/