had to make minor changes in /etc/init.d/SuSEfirewall2_setup, adding ipsec to the row containing Required-Start:
I have a similar setup, but I never had to tweak the starting script of SuSEfirewall. In my case, ipsec starts after phase 2 of SuSEfirewall.
When I had it like that, the VPN did not always start/work. The only 100% reliably way I could make it work was to force freeswan to start before the firewall.
Btw: do you use FreeS/WAN in the version included with SuSE 8 (1.95) or did you compile it yourself?
I only use SuSE supplied components. It's hard enough without compiling the stuff manually :-)
Then I went into yast2, runlevel editor and made a reset of the runlevels. I am sure this could also be done from the cmdline...
Here again I didn't do any changes except enabling the needed services.
This was only to apply the above change to the script start order, else I would have needed to manually rename the /etc/init.d/rcX.d/ scripts manually.
The reason I did this was because ipsec has to be loaded before the firewall, otherwise it would not load the rules correctly for the ipsec0 interface.
Do you talk about additional rules or just the built-in ones of SuSEfirewall2?
I have not made any manual rules. I use only the SuSEfirewall2 to make rules.
The following tunnel was set up in /etc/ipsec.conf on both GW's to get this tunnel to work:
conn xpfwlsn-xpfwnsn # Subnet to subnet # Left security gateway, subnet behind it, next hop left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 # Right security gateway, subnet behind it, next hop right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 # To authorize this connection, but not actually # uncomment this. #auto=add auto=start
Try the following:
On leftgateway's ipsec.conf change the rightnexthopvalue to the internal IP of rightgateway and vice versa.
It's now a few months since I tried it myself, but then I had to set it up that way. Don't know exactly why, but its worth a try.
I'm not sure I understood you correctly, but I made the following changes on left and right gw in /etc/ipsec.conf: ----------- conn xpfwlsn-xpfwnsn # Subnet to subnet # Left security gateway, subnet behind it, next hop left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=192.168.1.200 <------ (also tried 193.193.193.200) # Right security gateway, subnet behind it, next hop right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=192.168.3.200 <------ (also tried 194.194.194.200) # To authorize this connection, but not actually # uncomment this. #auto=add auto=start ------------- Neither of them worked. No machines was able to reach each other after the changes.
With my setup, I can fulfill all your requirements. 'internal' connections from gw to gw are of course not working by design.
Maybe you could post your ipsec.conf and settings in SuSEfirewall2? Please...
To manage to fulfill #2 i also added the following tunnels in ipsec.conf:
conn xpfwlsn-xpfwn # Subnet to gateway
conn xpfwl-xpfwnsn # Gateway to subnet
Is it really neccesary to add these connections as well? I think FreeS/WAN will be confused because it doesn't know how to differ the incoming connection requests.
I followed the following instructions when configuring my tunnels. http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/adv_config.html#mul...
Could you perhaps post the log-entries when starting FreeS/WAN?
Jul 3 18:57:25 xpfwl ipsec_setup: Starting FreeS/WAN IPsec 1.95... Jul 3 18:57:27 xpfwl kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.95 Jul 3 18:57:28 xpfwl ipsec_setup: KLIPS debug `none' Jul 3 18:57:28 xpfwl ipsec_setup: KLIPS ipsec0 on eth0 193.193.193.200/255.255.255.0 broadcast 193.193.193.255 mtu 1200 Jul 3 18:57:28 xpfwl ipsec__plutorun: Starting Pluto subsystem... Jul 3 18:57:28 xpfwl Pluto[2310]: Starting Pluto (FreeS/WAN Version 1.95) Jul 3 18:57:28 xpfwl Pluto[2310]: including X.509 patch (Version 0.9.8) Jul 3 18:57:28 xpfwl Pluto[2310]: Changing to directory '/etc/ipsec.d/cacerts' Jul 3 18:57:28 xpfwl Pluto[2310]: Warning: empty directory Jul 3 18:57:28 xpfwl Pluto[2310]: Changing to directory '/etc/ipsec.d/crls' Jul 3 18:57:28 xpfwl Pluto[2310]: Warning: empty directory Jul 3 18:57:28 xpfwl Pluto[2310]: could not open my X.509 cert file '/etc/x509cert.der' Jul 3 18:57:28 xpfwl Pluto[2310]: OpenPGP certificate file '/etc/pgpcert.pgp' not found Jul 3 18:57:28 xpfwl ipsec_setup: ...FreeS/WAN IPsec started Jul 3 18:57:28 xpfwl ipsec_setup: ^M^[[100C^[[10D^[[1;32mdone^[[m^O Jul 3 18:57:29 xpfwl Pluto[2310]: added connection description "xpfwlsn-xpfwnsn" Jul 3 18:57:29 xpfwl Pluto[2310]: added connection description "xpfwl-xpfwnsn" Jul 3 18:57:29 xpfwl Pluto[2310]: added connection description "xpfwlsn-xpfwn" Jul 3 18:57:29 xpfwl Pluto[2310]: listening for IKE messages Jul 3 18:57:29 xpfwl Pluto[2310]: adding interface ipsec0/eth0 193.193.193.200 Jul 3 18:57:29 xpfwl Pluto[2310]: loading secrets from "/etc/ipsec.secrets" Jul 3 18:57:29 xpfwl Pluto[2310]: "xpfwlsn-xpfwnsn" #1: initiating Main Mode Jul 3 18:57:29 xpfwl Pluto[2310]: "xpfwlsn-xpfwnsn" #1: Peer ID is ID_IPV4_ADDR: '194.194.194.200' Jul 3 18:57:29 xpfwl Pluto[2310]: "xpfwlsn-xpfwnsn" #1: ISAKMP SA established Jul 3 18:57:29 xpfwl Pluto[2310]: "xpfwlsn-xpfwnsn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwlsn-xpfwnsn" #2: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 104 "xpfwlsn-xpfwnsn" #1: STATE_MAIN_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 106 "xpfwlsn-xpfwnsn" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jul 3 18:57:30 xpfwl ipsec__plutorun: 108 "xpfwlsn-xpfwnsn" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwlsn-xpfwnsn" #1: STATE_MAIN_I4: ISAKMP SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwlsn-xpfwnsn" #2: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwlsn-xpfwnsn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwl-xpfwnsn" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwl-xpfwnsn" #3: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwl-xpfwnsn" #3: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwl-xpfwnsn" #3: STATE_QUICK_I2: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwlsn-xpfwn" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS Jul 3 18:57:30 xpfwl Pluto[2310]: "xpfwlsn-xpfwn" #4: sent QI2, IPsec SA established Jul 3 18:57:30 xpfwl ipsec__plutorun: 112 "xpfwlsn-xpfwn" #4: STATE_QUICK_I1: initiate Jul 3 18:57:30 xpfwl ipsec__plutorun: 004 "xpfwlsn-xpfwn" #4: STATE_QUICK_I2: sent QI2, IPsec SA established
My /etc/sysconfig/SuSEfirewall2 config (only diff's from /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf):
FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50"
Don't know if IP-Protocol 51 is needed as well?
Here it says that 51 is only needed if I use packet level authentication. Typical case is to use 50. I added it anyway, but it did not make any difference. http://www.freeswan.org/freeswan_trees/freeswan-1.95/doc/firewall.html#filte...
FW_FORWARD="192.168.1.0/24,192.168.3.0/24 192.168.3.0/24,192.168.1.0/24" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"
If I ping a computer on subnet 192.168.1.0/24 from the opposite network GW i get this in /var/log/messages on the recieving GW:
Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00
Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel?
I think it is correct for it arrive on ipsec0 (in the tunnel), and later delivered to the machine on the subnet using eth1. But for some reason SuSEfirewall2 does not want to deliver. Maybe there is a simple addition I can make to enable the route after the SuSEfirewall2 is loaded?
Hope this helps a bit.
All help is happily accepted.