[leaf-user] [ leaf-Support Requests-677584 ] Problems communicating via VPN

[SourceForge.net <no...@so...>]

Support Requests item #677584, was opened at 2003-01-30 09:19
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751

Category: packages
Group: None
>Status: Closed
Priority: 5
Submitted By: Bob Dushok (bdushok)
Assigned to: Mike Noyes (mhnoyes)
Summary: Problems communicating via VPN

Initial Comment:
I'm attempting to configure a subnet to subnet VPN
between two Bering uclibc v1.02 firewalls and am having
difficulty.  The VPN appears to be coming up, but no
traffic seems to pass through it.  My systems are setup
as follows:

workstation1 - ip 10.12.0.2
   |
bering gw - internal 10.12.0.1 - external 66.202.70.89
   |
(internet)
   |
bering gw - internal 10.1.2.200 - external 199.224.108.200
   |
workstation 2 - ip 10.1.1.1

The external IPs are statically assigned, I'm not using
DHCP.

When entering ipsec auto --up vpn I receive the following:

104 "vpn" #8: STATE_MAIN_I1: initiate
106 "vpn" #8: STATE_MAIN_I2: sent MI2, expecting MR2
108 "vpn" #8: STATE_MAIN_I3: sent MI3, expecting MR3
004 "vpn" #8: STATE_MAIN_I4: ISAKMP SA established
112 "vpn" #9: STATE_QUICK_I1: initiate
004 "vpn" #9: STATE_QUICK_I2: sent QI2, IPsec SA
established

The output of ipsec look is:
000 interface ipsec0/eth0 199.224.108.200
000  
000 "vpn":
10.1.0.0/16===199.224.108.200---199.224.108.34...66.202.70.88---66.202.70.89===10.12.0.0/16
000 "vpn":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "vpn":   policy: RSASIG+ENCRYPT+TUNNEL+PFS;
interface: eth0; erouted
000 "vpn":   newest ISAKMP SA: #3; newest IPsec SA: #2;
eroute owner: #2
000  
000 #3: "vpn" STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 998s; newest ISAKMP
000 #2: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 23043s; newest IPSEC;
eroute owner
000 #2: "vpn" esp.ed0b3c74@66.202.70.89
esp.7639cf48@199.224.108.200 tun.1002@66.202.70.89
tun.1001@199.224.108.200

It appears the VPN is up, but 10.12.0.2 can't ping
10.1.1.1 and vice versa.  My conf looks as follows:
config setup
	interfaces=%defaultroute
	klipsdebug=none
	plutodebug=all
	plutoload=%search
	plutostart=%search
	
conn %default
	type=tunnel
	keyexchange=ike
	keylife=8h
	keyingtries=0
	authby=rsasig
	disablearrivalcheck=no	
	pfs=yes

conn vpn
	left=199.224.108.200
	leftsubnet=10.1.0.0/16
	leftnexthop=199.224.108.34
	leftfirewall=yes
	right=66.202.70.89
	rightsubnet=10.12.0.0/16
	rightnexthop=66.202.70.88
	rightfirewall=yes
	auto=add
	leftrsasigkey=(omitted)
	rightrsasigkey=(ommitted)

I've added a zone for the VPN and have a rule similar
to the following added to the Shorewall rules:

vpnnet   localnet    ACCEPT
localnet   vpnnet   ACCEPT

(sorry I don't have the exact text of these rules)

hosts.allow does include an ALL: entry denoting the
private network on the other end of the VPN.

Do I need to perform any masquerading on the IPSEC0
interface for the nets to communicate properly?

As I was searching the mailing list, I noticed
conversations which mentioned an ipsec masquerade
kernel driver.  I can't seem to locate any info on this
for Bering/uclibc.  Am I missing something important? 
The only modules I'm loading for masquerading came with
the Bering release (ip_conntrack_ftp, ip_conntrack_irc,
ip_nat_ftp, and ip_nat_irc).

When shorewall starts it prints a warning indicating
the zone I've created for my VPN is empty.  I've
defined the zone by including the following in the
zones file:

vpnzone  ipsec0

Does this warning indicate a problem?

Any suggestions would be appreciated.
TIA
Bob



----------------------------------------------------------------------

Comment By: Bob Dushok (bdushok)
Date: 2003-01-31 18:23

Message:
Logged In: YES 
user_id=694924

Based on the most recent comment on this support request, it is our
understanding that this matter has been addressed. Should you
require further assistance from LEAF project members, please submit
a new support request.
Thank you,
leaf-project.org support

----------------------------------------------------------------------

Comment By: Bob Dushok (bdushok)
Date: 2003-01-31 18:23

Message:
Logged In: YES 
user_id=694924

Tom,
   Thank you!  The missing ipsec interface (zones file) was 
the problem.  I've added it and the VPN is now running.
   Bob

----------------------------------------------------------------------

Comment By: Tom Eastep (teastep)
Date: 2003-01-30 10:56

Message:
Logged In: YES 
user_id=6546

The first time through, I missed that you have

vpnzone (sic)   ipsec0 

in the ZONES file. The only column in that file that
Shorewall pays any attention to is the first one. You need
to add this to the interfaces file:

extnet	ipsec0

-Tom

----------------------------------------------------------------------

Comment By: Bob Dushok (bdushok)
Date: 2003-01-30 10:30

Message:
Logged In: YES 
user_id=694924

Kp, 
   Thanks, I'll try removing left/rightfirewall=yes and will add a 
rule to allow connections on ports 50 and 51.
   My policy and rules are as follows:

policy:
#SOURCE		DEST		POLICY	
	LOG LEVEL	LIMIT:BURST
admin		net		ACCEPT
fw		extnet		ACCEPT
admin		extnet		ACCEPT
extnet	admin		ACCEPT
fw		net		ACCEPT
net		all		DROP	
	info
all		all		REJECT	
	info

Rules:
ACCEPT		fw	  net		tcp
	53
ACCEPT		fw	  net		udp
	53
ACCEPT          admin     fw            udp     53
ACCEPT		fw	  net		tcp
	37
ACCEPT		fw	  net 		tcp
	25
ACCEPT		net	  fw		udp
	500

Thanks,
Bob

----------------------------------------------------------------------

Comment By: Bob Dushok (bdushok)
Date: 2003-01-30 10:24

Message:
Logged In: YES 
user_id=694924

Tom,
Thanks for the reply.  I'm sorry if my message implied I don't 
value the support you're providing.  I completely forgot about 
the zones, interfaces, hosts, and tunnels files but have 
attached them below.
Bob

hosts:
(nothing, only comments that were present in file included 
with distribution)

interfaces:
net	eth0		detect	
	norfc1918
admin	eth1		detect	
	routestopped

tunnels:
ipsec		net	66.202.70.89/24	
	extnet

zones:
extnet	ipsec0
net	Internet	
admin	Admin		


----------------------------------------------------------------------

Comment By: KP Kirchdörfer (kapeka)
Date: 2003-01-30 10:14

Message:
Logged In: YES 
user_id=204664

Lynn Avants advice in his ipsec doc for LEAF is to omitt the left-  
and rightfirewall. 
 
I cannot see  a real  error in your ipsec settings, but I'm no expert. 
 
I guess you should provide your shorewall settings, esp: 
 
zones 
interfaces 
policy 
rules 
tunnels 
 
I have an ipsec tunnel up and running, without touching masq. 
I'm not shure, if that's all correct and safe, but it's working. 
kp    

----------------------------------------------------------------------

Comment By: Tom Eastep (teastep)
Date: 2003-01-30 09:41

Message:
Logged In: YES 
user_id=6546

Bob,

You are asking busy people for free technical assistance yet
you can't be bothered to collect the relevant  information?
(ref: "sorry I don't have the exact text of these rules")

The fact that Shorewall is reporting an empty zone is
probably a key symptom but without the contents of the
'zones', 'interfaces', 'hosts' and 'tunnels' files from your
/etc/shorewall directory it would be a wild guess to try to
tell you what might be wrong.

-Tom

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751