Problem with IPSec and SuSEfirewall2 SuSE-FW-ILLEGAL-TARGET
Hi, after weeks of reading FAQ's, guides and everything I found about firewalls and FreeS/WAN I still have a big problem. But first I describe what is working and my network setup: roadwarrior (a.b.c.d) | internet | (d.e.f.g, static ip, ext. device, eth1, ipsec0) gateway with SuSE 8.2 and FreeS/WAN (10.10.11.3, int. device, eth0) | (10.10.11.0/24, int. network) LAN IPSec connection between roadwarrior and gateway external device works without any problem. But no matter what I try, if I try to ping the gateway's internal device (10.10.11.3) or the internal network I always get SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=256 *SRC=xxx.xxx.xxx.x is the adress of my roadwarrior I did set up the Firewall as described in /usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4: FW_DEV_EXT="eth1 ipsec0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="10.10.11.0/24" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d" a.b.c.d is the adress of my roadwarrior I left all other options default for testing the IPSec connections. Even without routing and masquerading I still get the error above and the above settings for routing forwarding and masquerading did not change anything. I also tried to make a custon updown script to be executed when ipsec0 comes up, that didn't change anything too. If the firewall is disabled I can ping the gateway's internal device (10.10.11.3) from an external IPSec connection. With the firewall enabled I can only access the external device of the gateway - I cannot ping to the internal network. Any suggestions what I am doing wrong here? I guess I have to use a custom updown script that allows traffic between the roadwarrior and the internal network and is executed each time an IPSec connection comes up. I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error: up-client:) iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;; down-client:) iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;; I checked the Pluto variables at execution time of the script and ip-adresses represented by those were correct. I appreciate any suggestions, thanks in advance, R. Peters
I had some trouble getting this set up, too. I had overlooked FW_MASQ_DEV and used the default which included all of the external interfaces. You don't want to masq the stuff on ipsec0: FW_MASQ_DEV="eth1" Did the trick for me. I didn't have to mess with _updown, either. But this, of course, I only realized after i did exactly what you've done to _updown. Perhaps it would be good to add a note in the faq mentioning not to nat the ipsec interface. On Wednesday 29 October 2003 06:43 am, R. Peters wrote:
Hi,
after weeks of reading FAQ's, guides and everything I found about firewalls and FreeS/WAN I still have a big problem.
But first I describe what is working and my network setup:
roadwarrior (a.b.c.d)
internet
(d.e.f.g, static ip, ext. device, eth1, ipsec0) gateway with SuSE 8.2 and FreeS/WAN (10.10.11.3, int. device, eth0)
(10.10.11.0/24, int. network) LAN
IPSec connection between roadwarrior and gateway external device works without any problem.
But no matter what I try, if I try to ping the gateway's internal device (10.10.11.3) or the internal network I always get
SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8 CODE=0 ID=1280 SEQ=256
*SRC=xxx.xxx.xxx.x is the adress of my roadwarrior
I did set up the Firewall as described in /usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4:
FW_DEV_EXT="eth1 ipsec0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="10.10.11.0/24" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d"
I had the problem of using nat and forgetting to take ipsec0 out of FW_MASQ_DEV.
a.b.c.d is the adress of my roadwarrior
I left all other options default for testing the IPSec connections. Even without routing and masquerading I still get the error above and the above settings for routing forwarding and masquerading did not change anything.
I also tried to make a custon updown script to be executed when ipsec0 comes up, that didn't change anything too.
If the firewall is disabled I can ping the gateway's internal device (10.10.11.3) from an external IPSec connection. With the firewall enabled I can only access the external device of the gateway - I cannot ping to the internal network.
Any suggestions what I am doing wrong here? I guess I have to use a custom updown script that allows traffic between the roadwarrior and the internal network and is executed each time an IPSec connection comes up.
I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error:
up-client:) iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;;
down-client:) iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -d $PLUTO_PEER_CLIENT -j ACCEPT iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \ -s $PLUTO_PEER_CLIENT -j ACCEPT ;;
I checked the Pluto variables at execution time of the script and ip-adresses represented by those were correct.
I appreciate any suggestions, thanks in advance,
R. Peters
Thanks for the info Benjamin, I couldn't solve the problem til now so I just dropped the SuSEfirewall2 and installed Shorewall instead which has a much more clear Documentation on using IPSec with it. Btw, it took me only like 20min to set up a working configuration with Shorewall, but I'm not sure if this is a real alternative to SuSEfw regarding security. So I might try out the SuSEfw again with your suggestion but I think I'll only do this if I find a good reason not to use Shorewall. ----- Original Message ----- From: "Benjamin P Myers" <dative@sukrahelitek.com> To: <suse-security@suse.com> Sent: Monday, November 03, 2003 11:08 AM Subject: Re: [suse-security] Problem with IPSec and SuSEfirewall2 SuSE-FW-ILLEGAL-TARGET I had some trouble getting this set up, too. I had overlooked FW_MASQ_DEV and used the default which included all of the external interfaces. You don't want to masq the stuff on ipsec0: FW_MASQ_DEV="eth1" Did the trick for me. I didn't have to mess with _updown, either. But this, of course, I only realized after i did exactly what you've done to _updown. Perhaps it would be good to add a note in the faq mentioning not to nat the ipsec interface.
participants (2)
-
Benjamin P Myers -
R. Peters