Problems with VPN and SuSEfirewall2
I have spent some time head banging in this one with no answer I would sure appreciate some help. ================== General Setup: Suse version is 8.2 Ipsec is used to connect two networks office (10.1.x.x) and home(192.168.x.x) Ipsec works fine without the firewall running. 10.1.x.x, the office network, is behind the SuSEfirewall2 The external ipsecced home network is 192.168.x.x The internal ethernet interface is eth1 The external internet interface and ipsec is eth0 The external ipaddress for the firewall machine is 208.171.49.111 ======================= Problem: An internal office client machine, 10.1.1.55 is able to successfully ping 192.168.204.72 a client machine on the home ipsecced network, so all seems well there. However, an internal home network machine cannot ping an internal 10.1.x.x. address. The /var/log/warn file shows the following: Jun 20 09:22:22 stpeter kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=192.168.204.72 DST=10.1.1.55 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=7868 DF PROTO=ICMP TYPE=8 CODE=0 ID=54372 SEQ=69 ============================ Configuration: I followed the suggested configuration in examples (the only difference I could see between my setup and Secenario 4 was that my internal and external networks (192- and 10-) were reversed. I also added ssh and allowed the internal network full access. The following is my SuSEfirewall2 configuration: FW_QUICKMODE="no" FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="10.1.0.0/16" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="10.0.0.0/16,192.168.0.0/16 192.168.0.0/16,10.0.0.0/16" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" ===================================== Any suggestions would be very welcome! Regards, John Lederer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi John, On Friday 20 June 2003 17:28, John Lederer wrote:
Jun 20 09:22:22 stpeter kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=192.168.204.72 DST=10.1.1.55 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=7868 DF PROTO=ICMP TYPE=8 CODE=0 ID=54372 SEQ=69 ============================
you have to add an iptables rule in /etc/sysconfig/scripts/SuSEfirewall2.custom ( in the before_spoofing section) and enable (I think it's 26) in /etc/sysconfig/SuSEfirewall2) the custom script because otherwise SuSEfirewall thinks this is an attack of someone spoofing internal addresses... Cheers, Arndt - -- Arndt Faulhaber mailto:arndt.faulhaber@diagnosdata.com gpg-pubkey: http://www.rzuser.uni-heidelberg.de/~afaulhab/arndt.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE+8zEPEin8GFiSP10RAt5VAKC0lNih1tZVOalo1I42y/KjNmZQdwCgsDix +cvF9OZ/sPqZIgSNZlI9Vuk= =AwcL -----END PGP SIGNATURE-----
participants (2)
-
Arndt Faulhaber
-
John Lederer