telnet or ssh not working on eth1 when ipsec0 is active on eth0
Hello all, I watched a strange behaviour on SuSE 8.0, when using a server with two ethernet cards and running FreeSWAN 1.98b (ipsec) The setup is as follows: - eth0 is external, with ipsec0 bound to it ("real" IP address) - eth1 is internal LAN, private address of 192.168.x.y form - no "special" firewall setup, no NAT, - any traffic is accepted (still testing ...) - routing is effective (ip_forward = 1) If I try to telnet to this machine from internal, I get a network timeout, although I see a connection attempt in iptraf on eth1. But I can connect from the ipsec-tunnel from outside to internal ip-address on telnet port without any problem ... ! (roadwarrior-laptop with dynamic ip) If I shutdown ipsec0, everything from internal works as expected. Is the traffic from internal routed to ipsec0 and only to that interface ? Any help is appreciated ! Regards from Rosbach/Germany, Philipp Rusch
* Philipp Rusch wrote on Thu, Dec 19, 2002 at 10:55 +0100:
The setup is as follows: - eth0 is external, with ipsec0 bound to it ("real" IP address)
What tunnel setup?
- eth1 is internal LAN, private address of 192.168.x.y form But I can connect from the ipsec-tunnel from outside to internal ip-address on telnet port without any problem ... ! If I shutdown ipsec0, everything from internal works as expected.
maybe you tunnel 192.168.x.y completly? In this case the responses aren't sent back to the LAN, but routed through the VPN.
Is the traffic from internal routed to ipsec0 and only to that interface ?
The routing is done by destination address, when this is on the other end of a tunnel, IPSec is used. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen, I see some light now... But my setup is like that: 192.168.1.x (LAN) | | eth1 | VPN-Gateway | eth0/ipsec0 | | 80.146.y.z (external Segment) | Internet | dyn-ip(dial-up-connection) | Laptop ("Roadwarrior") The Laptop-Users tunnel to the 192.168.1.x-LAN, so the ipsec.conf is defined for the whole segment. I don't see a reason for a telnet-connection that is initiated from inside to the internal interface of the vpn-gateway to be routed through the tunnel as a response to that connection attempt. Still helpless... Regards, Philipp Steffen Dettmer schrieb:
* Philipp Rusch wrote on Thu, Dec 19, 2002 at 10:55 +0100:
The setup is as follows: - eth0 is external, with ipsec0 bound to it ("real" IP address)
What tunnel setup?
- eth1 is internal LAN, private address of 192.168.x.y form But I can connect from the ipsec-tunnel from outside to internal ip-address on telnet port without any problem ... ! If I shutdown ipsec0, everything from internal works as expected.
maybe you tunnel 192.168.x.y completly? In this case the responses aren't sent back to the LAN, but routed through the VPN.
Is the traffic from internal routed to ipsec0 and only to that interface ?
The routing is done by destination address, when this is on the other end of a tunnel, IPSec is used.
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I don't see a reason for a telnet-connection that is initiated from inside to the internal interface of the vpn-gateway to be routed through the tunnel as a response to that connection attempt. Does you telnet connection work, if you shutdown ipsec?
Bernhard
YES, immediately. Philipp Bernhard Held schrieb:
I don't see a reason for a telnet-connection that is initiated from inside to the internal interface of the vpn-gateway to be routed through the tunnel as a response to that connection attempt. Does you telnet connection work, if you shutdown ipsec?
Bernhard
On Thu, 19 Dec 2002, Philipp Rusch wrote:
YES, immediately.
Philipp
Bernhard Held schrieb:
I don't see a reason for a telnet-connection that is initiated from inside to the internal interface of the vpn-gateway to be routed through the tunnel as a response to that connection attempt. Does you telnet connection work, if you shutdown ipsec?
Bernhard
can you please check or post your iptables -n -L on the VPN gateway, with and without running ipsec. Probably your ip-up.local re-configures the packetfilter Achim
can you please check or post your iptables -n -L on the VPN gateway, with and without running ipsec. Probably your ip-up.local re-configures the packetfilter
From the X.509 changelog:
Version 0.9.16 -------------- - Fixed a bug in the _updown.x509 script that uses iptables to set up dynamical firewall rules supporting port and protocol based filtering. Bernhard
Hi Philipp! On Thu, 19 Dec 2002, Philipp Rusch wrote:
YES, immediately.
Philipp
Bernhard Held schrieb:
I don't see a reason for a telnet-connection that is initiated from inside to the internal interface of the vpn-gateway to be routed through the tunnel as a response to that connection attempt. Does you telnet connection work, if you shutdown ipsec?
Bernhard
It would be easier to help if you sent your routing setup. "ip r ls" would be fine. (if you don't have iproute2 use "route -n".) Please do it with and without the ipsec tunnel active. Ciao, Roland +---------------------------+-------------------------+ | TU Muenchen | | | Physik-Department E18 | Raum 3558 | | James-Franck-Str. | Telefon 089/289-12592 | | 85747 Garching | | +---------------------------+-------------------------+ "If you think NT is the answer, you didn't understand the question." - Paul Stephens
participants (5)
-
Achim Hoffmann -
Bernhard Held -
Philipp Rusch -
Roland Kuhn -
Steffen Dettmer