RE: [suse-security] IPsec (FreeS/WAN) and SuSEfirewall2
-----Original Message----- From: Robert Klein [mailto:RoKlein@roklein.de] Sent: Wednesday, July 03, 2002 9:56 PM
On leftgateway's ipsec.conf change the rightnexthopvalue to the internal IP of rightgateway and vice versa.
I don't think that's the way it's supposed to be...
But I solved my problems exactly that way. If anybody has a better solution, please tell me.
To manage to fulfill #2 i also added the following tunnels in ipsec.conf: ----------------- conn xpfwlsn-xpfwn # Subnet to gateway
conn xpfwl-xpfwnsn # Gateway to subnet
Is it really neccesary to add these connections as well? I think FreeS/WAN will be confused because it doesn't know how to differ the incoming connection requests. Could you perhaps post the log-entries when starting FreeS/WAN?
Yes, it is neccesary, for the gateways to reach the opposite subnet.
But the gw (with only one tunnel between the subnets) has its routing table that tells it how to route eg packets to the remote subnet (via ipsec-interface). The packet will arrive there and be passed over to ipsec that decrypts the packet and again passes it over to the internal interface. Isn't it correct that way? Of course gw to gw doesn't work via ipsec that way.
Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00
Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel?
No. All traffic between the two networks should go through ipsec0. (Or else it wouldn't use frees/wan...)
but not traffic from an IP not belonging to the specified subnets, eg official IPs in that case. IRC only IPs of the two subnets should arrive on ipsecX. Prost, Andreas
On Mittwoch, 3. Juli 2002 22:12, Andreas Marbet wrote:
-----Original Message----- From: Robert Klein [mailto:RoKlein@roklein.de]
On leftgateway's ipsec.conf change the rightnexthopvalue to the internal IP of rightgateway and vice versa.
I don't think that's the way it's supposed to be...
But I solved my problems exactly that way. If anybody has a better solution, please tell me.
From the ipsec.conf(5) manual page:
leftnexthop next-hop gateway IP address for the left participant's connection to the public net- work; defaults to right. If the value is to be overridden by the left=%defaultroute method (see above), an explicit value must not be given. If that method is not being used, but leftnexthop is %defaultroute, and interfaces=%defaultroute is used in the con- fig setup section, the next-hop gateway address of the default-route interface will be used. The magic value %direct signifies a value to be filled in (by automatic key- ing) with the peer's address. In other words, freeswan doesn't know, _where_ to send the data to. It is determined by either your defaultroute (the destination: 0.0.0.0 entry in the output of "route -n") or by [left|right]nexthop. This parameter is used to set the route entry when a tunnel is set up. (See the output of "route -n" after your tunnels are up). I don't know what your setup is doing now, but perhaps you should look at the output of "tcpdump -i ipsec?" while doing some stuff via your vpn.
But the gw (with only one tunnel between the subnets) has its routing table that tells it how to route eg packets to the remote subnet (via ipsec-interface). The packet will arrive there and be passed over to ipsec that decrypts the packet and again passes it over to the internal interface. Isn't it correct that way? Of course gw to gw doesn't work via ipsec that way.
Of course the gw has the route, but only _after_ freeswan set it up! This isn't illustrated very well in the freeswan docs, I think (meaning: I probably don't understand it..) but for reaching an opposite gw _and_ its subnet you need two tunnels, one to the _outside_ address of the gw (this is the connection to the gw) and another to the subnet. You can't use the internal address of the gw, to reach it.. (well, there is the exception of your gw accepting traffic for one address on an interface that has another address...)
Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel?
No. All traffic between the two networks should go through ipsec0. (Or else it wouldn't use frees/wan...)
but not traffic from an IP not belonging to the specified subnets, eg official IPs in that case. IRC only IPs of the two subnets should arrive on ipsecX.
no. He is pinging the subnet from the gw. A tunnel between those two is defined. Thus the traffic ought to go through ipsec0. Robert
participants (2)
-
Andreas Marbet -
Robert Klein