SuSE Firewall onCD VPN Edition (FreeSWAN) and routing problem
Hello IPSEC professionals, A lot of people seem to have problems getting IPSEC to work properly. My VPN is working fine as long as the Roadwarrior is in the DMZ. but as soon as I use dialup (T-DSL or ISDN: T-Online / Freenet) I have a problem. This is the current setup: LAN: 10.0.0.0/24 | eth0=10.0.0.1 SuSE_Firewall on CD VPN edition eth1=xx.yy.zz.226 | DMZ: xx.yy.zz.224/29 | DSL Router Cisco 1400: xx.yy.zz.225 DSL: T-Online Interconnect I have configured the SSH Sentinel on a Roadwarrior (laptop Win2k) and tested the configuration by connecting the laptop to the DMZ (assigning the IP xx.yy.zz.229). This works fine and I can work on our local servers. As soon as I have the laptop as a mobile client (ISDN T-Online or T/DSL), I can authenticate with the firewall but I can't access any machine in my LAN (not even PING). Turning off all non-essential network adapters (assuming a routing problem on the laptop) has no effect. What I need now is a hint from someone how I can trace that problem. Or maybe someone here knows if Telekom blocks ESP packets on their routers. thanks for your help Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/
Hello IPSEC professionals, A lot of people seem to have problems getting IPSEC to work properly. My VPN is working fine as long as the Roadwarrior is in the DMZ. but as soon as I use dialup (T-DSL or ISDN: T-Online / Freenet) I have a problem. This is the current setup: LAN: 10.0.0.0/24 | eth0=10.0.0.1 SuSE_Firewall on CD VPN edition eth1=xx.yy.zz.226 | DMZ: xx.yy.zz.224/29 | DSL Router Cisco 1400: xx.yy.zz.225 DSL: T-Online Interconnect I have configured the SSH Sentinel on a Roadwarrior (laptop Win2k) and tested the configuration by connecting the laptop to the DMZ (assigning the IP xx.yy.zz.229). This works fine and I can work on our local servers. As soon as I have the laptop as a mobile client (ISDN T-Online or T/DSL), I can authenticate with the firewall but I can't access any machine in my LAN (not even PING). Turning off all non-essential network adapters (assuming a routing problem on the laptop) has no effect. What I need now is a hint from someone how I can trace that
maybe someone here knows if Telekom blocks ESP packets on their routers.
Does your firewall allow traffic from ipsec to the internal network? Are
there dropped packages?
tcpdump -i $FW_DEV_EXT
and
tcpdump -i ipsec0
will show you, if and what kind of packages arrive.
Is /proc/sys/net/ipv4/conf/*/rp_filter set to 0?
Check the output of the following commands, if it looks reasonable:
route -n
ipsec auto --status
(lot's of information: ipsec barf | less)
Bernhard
-----Ursprüngliche Nachricht-----
Von:
Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/
---------------------------------------------------------------------------- ----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
Bernhard Held -
suse-security@ott-service.de