Mailinglist Archive: opensuse-security (108 mails)
| < Previous | Next > |
SuSEfirewall2 and VPN
- From: "Christian Wittmer" <chris@xxxxxxxxxxxxxxxx>
- Date: Mon, 4 Sep 2006 21:52:02 -0000 (UTC)
- Message-id: <59270.213.146.121.138.1157406722.squirrel@xxxxxxxxxxxxxxxxxxxx>
Hi list-users,
trying to setup SuSEfirewall2 (SuSE 9.3) to work with IPSEC, but with no
success.
tunnel is up, but packets who should go through tunnel did not go through.
Any help would be appreciated.
Here some info about my config:
I'm using DSL with fixed IP.
VARS from SuSEfirewall2:
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1" # eth0 192.168.101.0/24
FW_MASQ_NETS="192.168.101.0/24 172.16.17.0/29 0/0,!192.168.2.0/24"
FW_SERVICES_EXT_UDP="37 53 123 500 873 922 2401 4500"
FW_SERVICES_EXT_IP="esp"
FW_FORWARD="\
172.16.17.0/29,192.168.101.0/24,ICMP \
192.168.101.0/24,172.16.17.0/29,ICMP \
172.16.17.0/29,192.168.101.220,tcp,19226 \
192.168.101.220,172.16.17.0/29,tcp,19226 \
192.168.101.0/24,192.168.2.0/24,,,ipsec \
192.168.2.0/24,192.168.101.0/24,,,ipsec \
192.168.101.0/24,192.168.68.0/24,,,ipsec \
192.168.68.0/24,192.168.101.0/24,,,ipsec"
FW_IPSEC_TRUST="no"
##################
hades:/etc/sysconfig # iptables -L -n -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.101.0/24 0.0.0.0/0
MASQUERADE all -- 172.16.17.0/29 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 !192.168.2.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
##################
hades:/etc/sysconfig # setkey -D
xxx.xxx.xxx.188 xxx.xxx.xxx.138
esp mode=tunnel spi=3117414419(0xb9cff813) reqid=16385(0x00004001)
E: 3des-cbc 334fec87 9c497e97 2ee43f9b d70dfe2a 65ae72e0 cb08c64b
A: hmac-md5 177d6696 9e1143ec 102ec467 f2e8d9bf
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Sep 4 18:29:37 2006 current: Sep 4 21:36:02 2006
diff: 11185(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=28506 refcnt=0
xxx.xxx.xxx.138 xxx.xxx.xxx.188
esp mode=tunnel spi=2811047203(0xa78d2d23) reqid=16385(0x00004001)
E: 3des-cbc 47767294 28a98de2 34a641be e1606fcc 16837566
-----------------------------------------
Diese E-Mail wurde durch SquirrelMail versandt
"Webmail for nuts!"
-----------------------------------------
Bereitgestellt fuer Kunden von Scorpio IT
http://www.scorpio-it.net
trying to setup SuSEfirewall2 (SuSE 9.3) to work with IPSEC, but with no
success.
tunnel is up, but packets who should go through tunnel did not go through.
Any help would be appreciated.
Here some info about my config:
I'm using DSL with fixed IP.
VARS from SuSEfirewall2:
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1" # eth0 192.168.101.0/24
FW_MASQ_NETS="192.168.101.0/24 172.16.17.0/29 0/0,!192.168.2.0/24"
FW_SERVICES_EXT_UDP="37 53 123 500 873 922 2401 4500"
FW_SERVICES_EXT_IP="esp"
FW_FORWARD="\
172.16.17.0/29,192.168.101.0/24,ICMP \
192.168.101.0/24,172.16.17.0/29,ICMP \
172.16.17.0/29,192.168.101.220,tcp,19226 \
192.168.101.220,172.16.17.0/29,tcp,19226 \
192.168.101.0/24,192.168.2.0/24,,,ipsec \
192.168.2.0/24,192.168.101.0/24,,,ipsec \
192.168.101.0/24,192.168.68.0/24,,,ipsec \
192.168.68.0/24,192.168.101.0/24,,,ipsec"
FW_IPSEC_TRUST="no"
##################
hades:/etc/sysconfig # iptables -L -n -t nat
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.101.0/24 0.0.0.0/0
MASQUERADE all -- 172.16.17.0/29 0.0.0.0/0
MASQUERADE all -- 0.0.0.0/0 !192.168.2.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
##################
hades:/etc/sysconfig # setkey -D
xxx.xxx.xxx.188 xxx.xxx.xxx.138
esp mode=tunnel spi=3117414419(0xb9cff813) reqid=16385(0x00004001)
E: 3des-cbc 334fec87 9c497e97 2ee43f9b d70dfe2a 65ae72e0 cb08c64b
A: hmac-md5 177d6696 9e1143ec 102ec467 f2e8d9bf
seq=0x00000000 replay=32 flags=0x00000000 state=mature
created: Sep 4 18:29:37 2006 current: Sep 4 21:36:02 2006
diff: 11185(s) hard: 0(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=28506 refcnt=0
xxx.xxx.xxx.138 xxx.xxx.xxx.188
esp mode=tunnel spi=2811047203(0xa78d2d23) reqid=16385(0x00004001)
E: 3des-cbc 47767294 28a98de2 34a641be e1606fcc 16837566
-----------------------------------------
Diese E-Mail wurde durch SquirrelMail versandt
"Webmail for nuts!"
-----------------------------------------
Bereitgestellt fuer Kunden von Scorpio IT
http://www.scorpio-it.net
| < Previous | Next > |