AGAIN :-) SuSEFirewall2 and FreeSWAN / IPSEC Problems
Hello list, I don't get my VPN to work through the firewall ... Negotiation of tunnel is okay, that one gets established, but my problem is: The firewall is blocking packets from ipsec0, no matter what I define in SuSEFirewall2-rules, either it blocks packets from roadwarrior's ip address to internal IPs as "unauthorized target", if I define FW_AUTOPROTECT_SERVICES="yes", or it drops those packets, if defined as FW_AUTOROTECT_SERVICES="no" . Configuration: SuSE 8.0/Kernel 2.4.18 FreeSWAN 1.98b, new X.509 Patches SuSEFirewall2 with : NO MASQuerading at all, I don't want to masq anything (we have "real" public IP on EXTernal interface and private IPs on INTernal) FW_DEV_EXT="eth0 ipsec0" FW_ROUTE="yes" ("no" gives same result) FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50" FW_AUTOPROTECT_SERVICES="no" Do I miss something ? TIA ! Regards from Germany, Mit freundlichem Gruß, Philipp Rusch In addition to this I asked in another thread about pptpd / VPN Hello Harald and Steffen, some days ago I asked about IPSEC and SuSEFirewall2, so do I understand you correctly, that all I should do is to MASQ the internal interface and then FORWARD_MASQ from outside to internal like in: FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,50" after modifying the Firewall-scripts according to Harald's post ? -- SNIP --
Steffen is right. I do it like this with SuSEFirewall:
FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,47 "
192.168.xxx.yyy is my MS VPN-Server. But I have patched the SuSEfirewall2 script: I use the version from SuSE8.0 and this is at line about 1320:
test "$PROTO" = tcp -o "$PROTO" = udp -o "$PROTO" = 47 || { echo "Error: The protocol with FW_MASQ_NETS must be tcp or udp or 47 -> $NETS" NET2="" } test ! "$PROTO" = 47 -a -z "$PORT1" && { echo "Error: Port missing in FW_MASQ_NETS -> $NETS" NET2="" } You see, I just have allowed 47 for PROTO and say it is now error if $PROTO=47 has no port. (Be carefull with the linebreaks, I use kmail!)
Greetings Harald
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
Hi Harald
-----Ursprüngliche Nachricht----- Von: Philipp Rusch [mailto:philipp.rusch@rusch-edv.de] Gesendet: Donnerstag, 14. November 2002 14:47 An: suse-security@suse.com Betreff: [suse-security] AGAIN :-) SuSEFirewall2 and FreeSWAN / IPSEC Problems
Hello list,
I don't get my VPN to work through the firewall ... Negotiation of tunnel is okay, that one gets established, but my problem is:
The firewall is blocking packets from ipsec0, no matter what I define in SuSEFirewall2-rules, either it blocks packets from roadwarrior's ip address to internal IPs as "unauthorized target", if I define FW_AUTOPROTECT_SERVICES="yes", or it drops those packets, if defined as FW_AUTOROTECT_SERVICES="no" .
Configuration: SuSE 8.0/Kernel 2.4.18 FreeSWAN 1.98b, new X.509 Patches SuSEFirewall2 with :
NO MASQuerading at all, I don't want to masq anything
(we have "real" public IP on EXTernal interface and private IPs on INTernal)
FW_DEV_EXT="eth0 ipsec0" FW_ROUTE="yes" ("no" gives same result)
Additionaly you have to define a route from external to the internal network through the fw Do that with the FW_FORWARD and FW_FORWARD_MASQ statement. As you masquerade nothing you have to use FW_FORWARD. Or am i wrong? Cheers Kurt
FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50" FW_AUTOPROTECT_SERVICES="no"
Do I miss something ?
TIA !
Regards from Germany, Mit freundlichem Gruß, Philipp Rusch
In addition to this I asked in another thread about pptpd / VPN
Hello Harald and Steffen, some days ago I asked about IPSEC and SuSEFirewall2, so do I understand you correctly, that all I should do is to MASQ the internal interface and then FORWARD_MASQ from outside to internal like in:
FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,50"
after modifying the Firewall-scripts according to Harald's post ?
-- SNIP --
Steffen is right. I do it like this with SuSEFirewall:
FW_FORWARD_MASQ=${FW_FORWARD_MASQ}" 0/0,192.168.xxx.yyy,47 "
192.168.xxx.yyy is my MS VPN-Server. But I have patched the SuSEfirewall2 script: I use the version from SuSE8.0 and this is at line about 1320:
test "$PROTO" = tcp -o "$PROTO" = udp -o "$PROTO" = 47 || { echo "Error: The protocol with FW_MASQ_NETS
must be tcp or udp or
47 -> $NETS" NET2="" } test ! "$PROTO" = 47 -a -z "$PORT1" && { echo "Error: Port missing in FW_MASQ_NETS -> $NETS" NET2="" } You see, I just have allowed 47 for PROTO and say it is now error if $PROTO=47 has no port. (Be carefull with the linebreaks, I use kmail!)
Greetings Harald
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Am Donnerstag, 14. November 2002 14:47 schrieb Philipp Rusch:
Hello list,
I don't get my VPN to work through the firewall ... Negotiation of tunnel is okay, that one gets established, but my problem is:
The firewall is blocking packets from ipsec0, no matter what I define in SuSEFirewall2-rules, either it blocks packets from roadwarrior's ip address to internal IPs as "unauthorized target", if I define FW_AUTOPROTECT_SERVICES="yes", or it drops those packets, if defined as FW_AUTOROTECT_SERVICES="no" .
Configuration: SuSE 8.0/Kernel 2.4.18 FreeSWAN 1.98b, new X.509 Patches SuSEFirewall2 with :
NO MASQuerading at all, I don't want to masq anything
(we have "real" public IP on EXTernal interface and private IPs on INTernal)
FW_DEV_EXT="eth0 ipsec0" FW_ROUTE="yes" ("no" gives same result) FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50" FW_AUTOPROTECT_SERVICES="no"
Sorry , such a setup I will do in two weeks. Before I have no time. So my suggestions are only akademically. Yor setup looks like this: Remot local network with 192.168.100.xxx | | Remote ipsec | | Internet | | firewall with ipsec0 and eth0 on external interface | and eth1 with192.168.200.253 | | Intranet with 192.168.200 Now the first question: Runs the setup without starting the firewall? I beleave, it do. Do you have rules to let the intranet in/out to your firewall? I think not, your error message "internal IPs as unauthorized target" looks like. Now the problem, if ipsec is directly installed on firewall: you have to open the firewall on the internal side for all protocolls which you are want to use through the channel. So this firewall is not very secure. But for special tasks it may be OK. Although you don't like to do masquerading, it can be make sense to start with masqerading: Try to configure your firewall to get access from internel to internet. Another point may be, you must forward the IPs of the remote network, too! I hope my suggestons helps that somebody with more experience give any advice. I start with freeswann in nearly one week. Greetings Harald -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
participants (3)
-
Harald Wallus -
Kurt Minder -
Philipp Rusch