I had some trouble getting this set up, too. I had overlooked FW_MASQ_DEV and used the default which included all of the external interfaces. You don't want to masq the stuff on ipsec0: FW_MASQ_DEV="eth1" Did the trick for me. I didn't have to mess with _updown, either. But this, of course, I only realized after i did exactly what you've done to _updown. Perhaps it would be good to add a note in the faq mentioning not to nat the ipsec interface. On Wednesday 29 October 2003 06:43 am, R. Peters wrote:
Hi,
after weeks of reading FAQ's, guides and everything I found about firewalls and FreeS/WAN I still have a big problem.
But first I describe what is working and my network setup:
roadwarrior (a.b.c.d)
internet
(d.e.f.g, static ip, ext. device, eth1, ipsec0) gateway with SuSE 8.2 and FreeS/WAN (10.10.11.3, int. device, eth0)
(10.10.11.0/24, int. network) LAN
IPSec connection between roadwarrior and gateway external device works without any problem.
But no matter what I try, if I try to ping the gateway's internal device (10.10.11.3) or the internal network I always get
SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=256
*SRC=xxx.xxx.xxx.x is the adress of my roadwarrior
I did set up the Firewall as described in /usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4:
FW_DEV_EXT="eth1 ipsec0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="10.10.11.0/24" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d"
I had the problem of using nat and forgetting to take ipsec0 out of FW_MASQ_DEV.
a.b.c.d is the adress of my roadwarrior
I left all other options default for testing the IPSec connections. Even without routing and masquerading I still get the error above and the above settings for routing forwarding and masquerading did not change anything.
I also tried to make a custon updown script to be executed when ipsec0 comes up, that didn't change anything too.
If the firewall is disabled I can ping the gateway's internal device (10.10.11.3) from an external IPSec connection. With the firewall enabled I can only access the external device of the gateway - I cannot ping to the internal network.
Any suggestions what I am doing wrong here? I guess I have to use a custom updown script that allows traffic between the roadwarrior and the internal network and is executed each time an IPSec connection comes up.
I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error:
up-client:) iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;;
down-client:) iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;;
I checked the Pluto variables at execution time of the script and ip-adresses represented by those were correct.
I appreciate any suggestions, thanks in advance,
R. Peters