From: SourceForge.net <no...@so...> - 2003-02-01 16:39:37
|
Support Requests item #677584, was opened at 2003-01-30 09:19 You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751 Category: packages Group: None >Status: Closed Priority: 5 Submitted By: Bob Dushok (bdushok) Assigned to: Mike Noyes (mhnoyes) Summary: Problems communicating via VPN Initial Comment: I'm attempting to configure a subnet to subnet VPN between two Bering uclibc v1.02 firewalls and am having difficulty. The VPN appears to be coming up, but no traffic seems to pass through it. My systems are setup as follows: workstation1 - ip 10.12.0.2 | bering gw - internal 10.12.0.1 - external 66.202.70.89 | (internet) | bering gw - internal 10.1.2.200 - external 199.224.108.200 | workstation 2 - ip 10.1.1.1 The external IPs are statically assigned, I'm not using DHCP. When entering ipsec auto --up vpn I receive the following: 104 "vpn" #8: STATE_MAIN_I1: initiate 106 "vpn" #8: STATE_MAIN_I2: sent MI2, expecting MR2 108 "vpn" #8: STATE_MAIN_I3: sent MI3, expecting MR3 004 "vpn" #8: STATE_MAIN_I4: ISAKMP SA established 112 "vpn" #9: STATE_QUICK_I1: initiate 004 "vpn" #9: STATE_QUICK_I2: sent QI2, IPsec SA established The output of ipsec look is: 000 interface ipsec0/eth0 199.224.108.200 000 000 "vpn": 10.1.0.0/16===199.224.108.200---199.224.108.34...66.202.70.88---66.202.70.89===10.12.0.0/16 000 "vpn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "vpn": policy: RSASIG+ENCRYPT+TUNNEL+PFS; interface: eth0; erouted 000 "vpn": newest ISAKMP SA: #3; newest IPsec SA: #2; eroute owner: #2 000 000 #3: "vpn" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 998s; newest ISAKMP 000 #2: "vpn" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 23043s; newest IPSEC; eroute owner 000 #2: "vpn" esp.ed0b3c74@66.202.70.89 esp.7639cf48@199.224.108.200 tun.1002@66.202.70.89 tun.1001@199.224.108.200 It appears the VPN is up, but 10.12.0.2 can't ping 10.1.1.1 and vice versa. My conf looks as follows: config setup interfaces=%defaultroute klipsdebug=none plutodebug=all plutoload=%search plutostart=%search conn %default type=tunnel keyexchange=ike keylife=8h keyingtries=0 authby=rsasig disablearrivalcheck=no pfs=yes conn vpn left=199.224.108.200 leftsubnet=10.1.0.0/16 leftnexthop=199.224.108.34 leftfirewall=yes right=66.202.70.89 rightsubnet=10.12.0.0/16 rightnexthop=66.202.70.88 rightfirewall=yes auto=add leftrsasigkey=(omitted) rightrsasigkey=(ommitted) I've added a zone for the VPN and have a rule similar to the following added to the Shorewall rules: vpnnet localnet ACCEPT localnet vpnnet ACCEPT (sorry I don't have the exact text of these rules) hosts.allow does include an ALL: entry denoting the private network on the other end of the VPN. Do I need to perform any masquerading on the IPSEC0 interface for the nets to communicate properly? As I was searching the mailing list, I noticed conversations which mentioned an ipsec masquerade kernel driver. I can't seem to locate any info on this for Bering/uclibc. Am I missing something important? The only modules I'm loading for masquerading came with the Bering release (ip_conntrack_ftp, ip_conntrack_irc, ip_nat_ftp, and ip_nat_irc). When shorewall starts it prints a warning indicating the zone I've created for my VPN is empty. I've defined the zone by including the following in the zones file: vpnzone ipsec0 Does this warning indicate a problem? Any suggestions would be appreciated. TIA Bob ---------------------------------------------------------------------- Comment By: Bob Dushok (bdushok) Date: 2003-01-31 18:23 Message: Logged In: YES user_id=694924 Based on the most recent comment on this support request, it is our understanding that this matter has been addressed. Should you require further assistance from LEAF project members, please submit a new support request. Thank you, leaf-project.org support ---------------------------------------------------------------------- Comment By: Bob Dushok (bdushok) Date: 2003-01-31 18:23 Message: Logged In: YES user_id=694924 Tom, Thank you! The missing ipsec interface (zones file) was the problem. I've added it and the VPN is now running. Bob ---------------------------------------------------------------------- Comment By: Tom Eastep (teastep) Date: 2003-01-30 10:56 Message: Logged In: YES user_id=6546 The first time through, I missed that you have vpnzone (sic) ipsec0 in the ZONES file. The only column in that file that Shorewall pays any attention to is the first one. You need to add this to the interfaces file: extnet ipsec0 -Tom ---------------------------------------------------------------------- Comment By: Bob Dushok (bdushok) Date: 2003-01-30 10:30 Message: Logged In: YES user_id=694924 Kp, Thanks, I'll try removing left/rightfirewall=yes and will add a rule to allow connections on ports 50 and 51. My policy and rules are as follows: policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST admin net ACCEPT fw extnet ACCEPT admin extnet ACCEPT extnet admin ACCEPT fw net ACCEPT net all DROP info all all REJECT info Rules: ACCEPT fw net tcp 53 ACCEPT fw net udp 53 ACCEPT admin fw udp 53 ACCEPT fw net tcp 37 ACCEPT fw net tcp 25 ACCEPT net fw udp 500 Thanks, Bob ---------------------------------------------------------------------- Comment By: Bob Dushok (bdushok) Date: 2003-01-30 10:24 Message: Logged In: YES user_id=694924 Tom, Thanks for the reply. I'm sorry if my message implied I don't value the support you're providing. I completely forgot about the zones, interfaces, hosts, and tunnels files but have attached them below. Bob hosts: (nothing, only comments that were present in file included with distribution) interfaces: net eth0 detect norfc1918 admin eth1 detect routestopped tunnels: ipsec net 66.202.70.89/24 extnet zones: extnet ipsec0 net Internet admin Admin ---------------------------------------------------------------------- Comment By: KP Kirchdörfer (kapeka) Date: 2003-01-30 10:14 Message: Logged In: YES user_id=204664 Lynn Avants advice in his ipsec doc for LEAF is to omitt the left- and rightfirewall. I cannot see a real error in your ipsec settings, but I'm no expert. I guess you should provide your shorewall settings, esp: zones interfaces policy rules tunnels I have an ipsec tunnel up and running, without touching masq. I'm not shure, if that's all correct and safe, but it's working. kp ---------------------------------------------------------------------- Comment By: Tom Eastep (teastep) Date: 2003-01-30 09:41 Message: Logged In: YES user_id=6546 Bob, You are asking busy people for free technical assistance yet you can't be bothered to collect the relevant information? (ref: "sorry I don't have the exact text of these rules") The fact that Shorewall is reporting an empty zone is probably a key symptom but without the contents of the 'zones', 'interfaces', 'hosts' and 'tunnels' files from your /etc/shorewall directory it would be a wild guess to try to tell you what might be wrong. -Tom ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=213751&aid=677584&group_id=13751 |