Nadeem Hasan
writes (back in December 2001): I am interested to know if anyone here has tried to build a VPN setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to subnet). I have been looking to do this but have not been able to find any info about SuSEFirewall2 config changes for this.
I'm in the middle of this with SuSE 7.3 which we installed on two machines, both of which are to run the very latest SuSEfirewall2 from Mark Heuse's page at http://www.suse.de/~marc
I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3 FTP directory at gatech).
Without the firewall enabled, it looks as if freeswan (ipsec) starts correctly. WITH the firewall enabled, here's what we get as an error message:
ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) ipsec_setup:
This is, frankly, maddening. I need to get this VPN working between two office sites. The first is our office and I'm intending FreeS/WAN to run on the firewall in conjunction with SuSEfirewall2. This machine masquerades to our internal network of 192.168.1.0/24 on the internal leg on eth1. This works fine.
The other end is inside of a client's internal network. Through a CISCO PIX firewall, they've locked an external real-ip to the machine's internal IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine from the outside world. This works wonderfully. There is only one ethernet card in here.
The goal is to be able to use the machine at the client site to talk to a Microsoft sourcesafe server at an internal address of 10.100.0.17, such
Hi,
what's about the kernel parameter rp_filter?! There is for each network
device a dir in /proc/sys/net/ipv4/conf/ !
And for IPSec it must be set to "0" (the default value, I think)!! The
/sbin/SuSEfirewall2 script look at start time for ipsec devices (in v2.0 ->
less +522 /sbin/SuSEfirewall2), but is there no IPSec device present the
rp_filter parmeter ist set to "1"!
May you want to set them all to "0":
for i in /proc/sys/net/ipv4/conf/* ; do { echo "1" > $i/rp_filter ; } done ;
If that dosen't help you can switch off the kernel security at #17 in
/etc/rc.config.d/firewall2.rc.config.
A litte bug on the /sbin/SuSEfirewall2 script is that the changes on the
kernel parameteres are a one-way-ticket! Once set the script didn't roll it
back to the original values if you stop/refresh/reload the firewall, so the
only way I see is to reboot the machine (or roll back the values by hand ;-)
btw. works IPSec correctly if you didn't start the firewall?!
so long.... Kai
PS remember: you CAN'T ping from one IPSec router to the other!!! You must
use other IPs than the route IPs a source / target IPs for ping tests:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#cantping
PSS Very important (the real trick):
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#masq.faq
Have a nice day....
EOT
----- Original Message -----
From: "Argentium G. Tiger"
all of us back at our office can directly hit the sourcesafe server at the client's site and develop from there.
If I had much hair left, I'd be pulling it out. :-(
Configs (with secret keys masked obviously) and configs are available upon request.
Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE and SuSEFirewall2-2.1 ?