Hi Jonathan,
I am not absolutely sure, how to interpret your "A can see B". But it
sounds like "Ping from A to B is answered" or "A can see B's samba shares"?
In that case to me your problem seems to be at the "linksys"-side.
It is a stadard-behaviour of some firewalls, to let everything out of
but only authorized things into the local network.
Some firewalls provide opportunities, to filter VPN-traffic like that, too.
Can it be, the linksys device does have filters, which keep the
Linux-side from adressing services needed to "see" things behind the
linksys?
It is a standard-behaviour of NAT-Routers to translate non-reserved
ports proxy-vise (to the internet only the outside interfaces IP of the
router is visible).
But all services of internal Servers have to be translated from local
host IP and Port to Router's outside Interface's IP and Port.
Do your really have evidence, your connection "A to B" is going through
the IPSec-tunnel?
Other possible problems might be, that the Linux-Router-Side can not
resolve names or access directory services at the linksys side.
If you say "B does not see A" - do you mean, it does not find it by name
or by IP?
--
Kind Regards
i.A. Carsten Voigt
bios ag (hrb-hh 73193)
brauhausstieg 15-17
d-22041 hamburg
fon +49 40 689 439 0
fax +49 40 689 439 39
cvo@bios.de
www.bios.de
aufsichtsratsvorsitzender: wolfgang borchert
vorstand: ulrich kalthoff, heinrich zwiebelmann
-------- Original-Nachricht --------
Betreff: [suse-security] VPN and SuSEfirewall2
Datum: Thu, 27 Apr 2006 15:36:13 +0930
Von: Jonathan Baxter
jbaxter@panscient.com
An: suse-security@suse.com
Please excuse me if this is not the correct forum for VPN and firewall issues
on SuSE.
I am trying to setup an ipsec VPN between two private subnets, and I have run
into a snag that I cannot resolve. The VPN establishes itself fine, and I can
connect from any machine on the right subnet to any machine on the left
subnet, but not vice versa.
Here's the setup:
192.168.1.0/24===a.a.a.a---b.b.b.b...c.c.c.c---d.d.d.d===192.168.200.0/24
"a.a.a.a" is the external interface of a SuSE 10.0 box which masquerades
machines on the internal 192.168.1.0/24 subnet. "b.b.b.b" is its nexthop
router.
"d.d.d.d" is the external interface of my home linksys AG241 DSL router.
"c.c.c.c" is its nexthop router (at the ISP).
I have an ipsec, pre-shared key tunnel from a.a.a.a to d.d.d.d. The SuSE box
is running it with OpenSwan, the linksys router is just set up via the normal
linksys configuration (which may well be OpenSwan under the hood).
Everything works fine from right-to-left - ie all machines on the
192.168.200.0 subnet behind the linksys router can see all machines on the
192.168.1.0 subnet behind the SuSE box.
But nothing works from left-to right; neither the SuSE router box itself, nor
from any machines on the 192.168.1.0 subnet behind it can see any machines on
the 192.168.200.0 subnet at the other end of the tunnel.
This seems to me like it must be a routing problem, but I can't for the life
of me work out how to fix it.
I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled
forwarding between the two subnets by setting FW_FORWARD
in /etc/sysconfig/SuSEfirewall2:
FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \
192.168.200.0/24,192.168.1.0/24,,,ipsec"
I have explicitly disabled NAT of packets between the two subnets by adding
the following line to the fw_custom_before_port_handling() section
of /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d !
192.168.200.0/24 -j MASQUERADE
the tunnel config in /etc/ipsec.conf looks like:
conn net-to-net
# Key exchange method
authby=secret
# Left security gateway, subnet behind it, nexthop toward right.
left=a.a.a.a
leftsubnet=192.168.1.0/24
leftnexthop=b.b.b.b
# Right security gateway, subnet behind it, nexthop toward left.
right=d.d.d.d
rightsubnet=192.168.200.0/24
rightnexthop=c.c.c.c
auto=start
Any suggestions?
Thanks,
Jonathan Baxter
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
Carsten Voigt