Hi! The problem with the firewall + IPsec is still not solved. To split the setup problems I have tried to configure different test environment: a) Only 2 IPsec gateways b) 2 IPsec gateways with the firewall script - no masquerading c) 2 IPsec gateways with the firewall script with maquerading Setup a) is working but with setup b) I have already problems: The tunnel is established but I still cannot ping to the net on the other side. I checked the firewall.log for denied packets but couldn't find any entry. Also another strange phenomenon: If I boot the machine with the firewall script and stop afterwards the firewall script by hand the ipsec connection doesn't work too. What could be the problem with my setup. Thanks for your help Wolfgang
-----Ursprüngliche Nachricht----- Von: Tobias Gewinner [mailto:crt@tmt.de] Gesendet: Dienstag, 19. Juni 2001 23:32 An: suse-security@suse.com Betreff: Re: [suse-security] Ipsec + firewall
On Tue, Jun 19, 2001 at 05:55:09PM +0200, Schulz, Wolfgang wrote:
Hi list!
As soon as we start the firewall script (Version 4.1) ipsec doesn't work anymore.
I remember having the same problem in the past. AFAIK the firewalls must accept incoming requests from the outside on port 500/UDP. Also the firewall doesn't know the net behind his partner, so any input from these IPs to the internal net is denied.
I remember that I set the following ipchains rules (or something like that) manually on both machines:
On firewall A this (may have) looked like
ipchains -I forward -b -s [local net B] -d [local net A] -j ACCEPT ipchains -I input -b -s [local net B] -d [local net A] -j ACCEPT ipchains -I output -b -s [local net B] -d [local net A] -j ACCEPT
and on firewall B you must swap the networks, of course ;-)
After that it worked fine for me. I think you can set these rules in /etc/rc.config.de/firewall-custom.rc.config
Greetings! -- ----------------------------------------------------------------- Tobias Gewinner
Fachinformatiker i.A. TMT InterNETworks GmbH Phone: +49921560716-0 Maxstrasse 4 Fax: +49921560716-18 D-95444 Bayreuth ----------------------------------------------------------------- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com