Hi Stefan,
From: Stefan Nilsen [mailto:stefan.nilsen@millnet.se] Sent: Wednesday, July 03, 2002 3:00 PM
My goals is the following:
#1. Allow the users on the subnets to reach each other
#2. The GW computers should be able to reach the opposite subnet
#3. The GW computers should be able to talk to each other. (Does not *have* to be IPsec, SSH is enough).
I have managed to fullfill #1 together with #3, but not without troubles. I had to make minor changes in /etc/init.d/SuSEfirewall2_setup, adding ipsec to the row containing Required-Start:
I have a similar setup, but I never had to tweak the starting script of SuSEfirewall. In my case, ipsec starts after phase 2 of SuSEfirewall. Btw: do you use FreeS/WAN in the version included with SuSE 8 (1.95) or did you compile it yourself?
Then I went into yast2, runlevel editor and made a reset of the runlevels. I am sure this could also be done from the cmdline...
Here again I didn't do any changes except enabling the needed services.
The reason I did this was because ipsec has to be loaded before the firewall, otherwise it would not load the rules correctly for the ipsec0 interface.
Do you talk about additional rules or just the built-in ones of SuSEfirewall2?
The following tunnel was set up in /etc/ipsec.conf on both GW's to get this tunnel to work: ---------------- conn xpfwlsn-xpfwnsn # Subnet to subnet # Left security gateway, subnet behind it, next hop left=193.193.193.200 leftsubnet=192.168.1.0/24 leftnexthop=193.193.193.193 # Right security gateway, subnet behind it, next hop right=194.194.194.200 rightsubnet=192.168.3.0/24 rightnexthop=194.194.194.194 # To authorize this connection, but not actually # uncomment this. #auto=add auto=start -----------------
Try the following: On leftgateway's ipsec.conf change the rightnexthopvalue to the internal IP of rightgateway and vice versa. It's now a few months since I tried it myself, but then I had to set it up that way. Don't know exactly why, but its worth a try. With my setup, I can fulfill all your requirements. 'internal' connections from gw to gw are of course not working by design.
To manage to fulfill #2 i also added the following tunnels in ipsec.conf: ----------------- conn xpfwlsn-xpfwn # Subnet to gateway
conn xpfwl-xpfwnsn # Gateway to subnet
Is it really neccesary to add these connections as well? I think FreeS/WAN will be confused because it doesn't know how to differ the incoming connection requests. Could you perhaps post the log-entries when starting FreeS/WAN?
... but it does not work. I suspect SuSEfirewall2 to be the reason (or more correctly, my configuration of the firewall).
My /etc/sysconfig/SuSEfirewall2 config (only diff's from /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf): ----------------- FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50"
Don't know if IP-Protocol 51 is needed as well?
FW_FORWARD="192.168.1.0/24,192.168.3.0/24 192.168.3.0/24,192.168.1.0/24" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" -----------------
If I ping a computer on subnet 192.168.1.0/24 from the opposite network GW i get this in /var/log/messages on the recieving GW:
Jul 3 14:31:42 xpfwl kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=194.194.194.200 DST=192.168.1.10 LEN=84 TOS=0x00
Why does it arrive on ipsec0, should be eth0. Taking the wrong tunnel? Hope this helps a bit. Andreas