RE: [suse-security] VPN / FreeSWAN / SuSEFirewall2 - Problem - openSUSE Security

7 Nov 2002

      Hi, 

it works, but require manually edited ip-down script for ipsec FreeSwan - I
solved this by settings IPTABLES rules into the customized ip-down script.
I'am using it not for roadwarriors, but for 2 static sites, but it shloud
works for all connections.

in 
	/usr/lib/ipsec
is file 
	_updown

i made a copy to
	_updown_custom

and modified following part (only added the "iptables ..." lines) :

------------------- cut ----------------------
up-client:)
        # connection to my client subnet coming up
        # If you are doing a custom version, firewall commands go here.
        iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
        iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK
\
                -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
        ;;
down-client:)
        # connection to my client subnet going down
        # If you are doing a custom version, firewall commands go here.
        iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
        iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
                -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
        ;;
------------------- cut ----------------------

then is necessary to modify the config file for ipsec (located in
/etc/ipse.conf):
- add the line with leftupdown:

------------------- cut ----------------------
conn %default
        leftupdown=/usr/lib/ipsec/_updown_custom
------------------- cut ----------------------

Thats all -> you will modify by this solution the iptables rules for
firewall every time you will make the connection.... 
To start it is necessary nothing else then restart ipsec.

Of coursce, if you are using Suse on both sides, you should set the other
computer too (also only leftupdown script).

With regards.

Pavel Köhler

Flynet
"e-Commerce Systems"
Czech republic

http://www.flynet.cz
tel.:(+420) 326 902 236
GSM: (+420) 602 366 372
...
-----Original Message-----
From: Philipp Rusch [mailto:philipp.rusch@rusch-edv.de]
Sent: Thursday, November 07, 2002 12:17 PM
To: suse-security@suse.com
Subject: [suse-security] VPN / FreeSWAN / SuSEFirewall2 - Problem
Hello list,
I don't get my VPN to work through the firewall ...
Negotiation of tunnel is okay, that one gets established,
but my question is:
The firewall is blocking packets from ipsec0, no matter
what I define in SuSEFirewall2-rules,
either it blocks packets from roadwarrior's ip address to
internal IPs as "unauthorized target", if I define
FW_AUTOPROTECT_SERVICES="yes", or it drops those packets,
if defined as FW_AUTOROTECT_SERVICES="no" .
Configuration: SuSE 8.0/Kernel 2.4.18
FreeSWAN 1.98b, new X.509 Patches
SuSEFirewall2 with :
NO Masquerading
FW_DEV_EXT="eth0 ipsec0"
FW_ROUTE="yes" ("no" gives same result)
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50"
FW_AUTOPROTECT_SERVICES="no"
Did I miss something ?
TIA !
Regards from Germany,
Mit freundlichem Gruß, Philipp Rusch
-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here

RE: [suse-security] VPN / FreeSWAN / SuSEFirewall2 - Problem

Kohler Pavel, Flynet e-Commerce Systems

tags

participants (1)