Hi,
after weeks of reading FAQ's, guides and everything I found about firewalls
and FreeS/WAN I still have a big problem.
But first I describe what is working and my network setup:
roadwarrior
(a.b.c.d)
|
internet
|
(d.e.f.g, static ip, ext. device, eth1, ipsec0)
gateway with SuSE 8.2 and FreeS/WAN
(10.10.11.3, int. device, eth0)
|
(10.10.11.0/24, int. network)
LAN
IPSec connection between roadwarrior and gateway external device works
without any problem.
But no matter what I try, if I try to ping the gateway's internal device
(10.10.11.3) or the internal network I always get
SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT=
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x
DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8
CODE=0 ID=1280 SEQ=256
*SRC=xxx.xxx.xxx.x is the adress of my roadwarrior
I did set up the Firewall as described in
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4:
FW_DEV_EXT="eth1 ipsec0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="10.10.11.0/24"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d"
a.b.c.d is the adress of my roadwarrior
I left all other options default for testing the IPSec connections.
Even without routing and masquerading I still get the error above and the
above settings for routing
forwarding and masquerading did not change anything.
I also tried to make a custon updown script to be executed when ipsec0 comes
up, that didn't change
anything too.
If the firewall is disabled I can ping the gateway's internal device
(10.10.11.3) from an external IPSec connection.
With the firewall enabled I can only access the external device of the
gateway - I cannot ping to the internal network.
Any suggestions what I am doing wrong here?
I guess I have to use a custom updown script that allows traffic between the
roadwarrior and the internal network and
is executed each time an IPSec connection comes up.
I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error:
up-client:)
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT -j ACCEPT
;;
down-client:)
iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT -j ACCEPT
;;
I checked the Pluto variables at execution time of the script and
ip-adresses represented by
those were correct.
I appreciate any suggestions, thanks in advance,
R. Peters