AW: [suse-security] Ipsec + firewall
Hi! The problem with the firewall + IPsec is still not solved. To split the setup problems I have tried to configure different test environment: a) Only 2 IPsec gateways b) 2 IPsec gateways with the firewall script - no masquerading c) 2 IPsec gateways with the firewall script with maquerading Setup a) is working but with setup b) I have already problems: The tunnel is established but I still cannot ping to the net on the other side. I checked the firewall.log for denied packets but couldn't find any entry. Also another strange phenomenon: If I boot the machine with the firewall script and stop afterwards the firewall script by hand the ipsec connection doesn't work too. What could be the problem with my setup. Thanks for your help Wolfgang
-----Ursprüngliche Nachricht----- Von: Tobias Gewinner [mailto:crt@tmt.de] Gesendet: Dienstag, 19. Juni 2001 23:32 An: suse-security@suse.com Betreff: Re: [suse-security] Ipsec + firewall
On Tue, Jun 19, 2001 at 05:55:09PM +0200, Schulz, Wolfgang wrote:
Hi list!
As soon as we start the firewall script (Version 4.1) ipsec doesn't work anymore.
I remember having the same problem in the past. AFAIK the firewalls must accept incoming requests from the outside on port 500/UDP. Also the firewall doesn't know the net behind his partner, so any input from these IPs to the internal net is denied.
I remember that I set the following ipchains rules (or something like that) manually on both machines:
On firewall A this (may have) looked like
ipchains -I forward -b -s [local net B] -d [local net A] -j ACCEPT ipchains -I input -b -s [local net B] -d [local net A] -j ACCEPT ipchains -I output -b -s [local net B] -d [local net A] -j ACCEPT
and on firewall B you must swap the networks, of course ;-)
After that it worked fine for me. I think you can set these rules in /etc/rc.config.de/firewall-custom.rc.config
Greetings! -- ----------------------------------------------------------------- Tobias Gewinner
Fachinformatiker i.A. TMT InterNETworks GmbH Phone: +49921560716-0 Maxstrasse 4 Fax: +49921560716-18 D-95444 Bayreuth ----------------------------------------------------------------- -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Schulz, Wolfgang wrote on Fri, Jun 29, 2001 at 11:53 +0200:
The tunnel is established but I still cannot ping to the net on the other side.
From what machine to what net? You said you have only two GWs? Behind are more hosts?
I checked the firewall.log for denied packets but couldn't find any entry.
Are you pretty sure you have a log rule for all denied packets?
If I boot the machine with the firewall script and stop afterwards the firewall script by hand the ipsec connection doesn't work too.
Seems like a firewalling problem, ain't? :) Maybe your firewall turns on rp_filter or similar which may cause trouble with IPSec.
What could be the problem with my setup.
Your IPSec works w/o firewall. When you turned firewall on, nothing works. By that it looks really like a firewalling problem. You don't see packets in your file. This looks like another firewall problem (syslogd don't even writes to your file, or a deny/reject rule with logging ist missing or whatever). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Schulz, Wolfgang
-
Steffen Dettmer