Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
Nadeem Hasan writes:
I have since been successful in getting the setup running with SuSEFirewall2, FreeS/WAN and SSH Sentinel using X.509 certificates. I am currently in the process of writing this whole thing into a nice document. Wait for a couple of days :)
Many thanks... I'm looking forward to seeing how you got it working. I need to keep looking at any and all options, because this _has_ to be working by Monday morning. Failure means I'm holding up an entire office from moving from one location to another, and that's the holdup I'd really rather not continue to be the cause of. So, further to that need, here's a bit more information given what I've learned since yesterday (and many thanks to participants in this mailing list, the fact that people are offering suggestions is _very_ much appreciated. I don't feel quite so alone trying to tackle this giant.) I've set up SSH (SSH-1.9.9-OpenSSH_2.9.9p2) with public keys such that the machines can log into each other without any trouble. I used ipsec rsakeysig to generate keys sufficient for my security needs, and I've set up my ipsec.conf and ipsec.secrets files accordingly. On the side where the firewall is actually active, I'm getting the error that I documented last message: ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) I'm assuming this problem will dog me on both sides when I activate the firewall/IPSEC machine on the inside of the CiscoPIX firewall on the 10.100.0.0/24 network. And now to Markus' message:
You must disable IP spoofing protection for ipsec to work properly.
Something like that should do the job: echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
But where does that go, and when should they be executed? I tried putting those in the /etc/rc.config.d/firewall2-custom.rc.config file in the fw_custom_before_denyall() section at the end, and enabling the customized command script in /etc/rc.config.d/firewall2.rc.config in section 25: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" With IPSEC not running, I activated the Firewall final portion: /etc/init.d/SuSEfirewall2_final start I get this error message: /sbin/SuSEfirewall2: /proc/sys/net/ipv4/conf/ipsec0/rp_filter: No such file or directory Okay... So ipsec0 doesn't exist without ipsec loaded. That makes sense. So I reactivate ipsec: /etc/init.d/ipsec start It comes back with: ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work. ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: Okay, we're down to one error... Do I need to re-run the firewall final portion of the script *again*? From my perception, I have a chicken and the egg problem here. :-( Which comes first? Argentium
"Argentium G. Tiger" wrote:
On the side where the firewall is actually active, I'm getting the error that I documented last message:
ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
And now to Markus' message:
You must disable IP spoofing protection for ipsec to work properly.
Something like that should do the job: echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
Just make sure you have added "ipsec0" to the FW_DEV_EXT variable in the /etc/rc.config.d/firewall2.rc.config. This will make sure that rp_filter is not turned on for any interface. Cheers, -- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
Nadeem Hasan wrote:
Just make sure you have added "ipsec0" to the FW_DEV_EXT variable in the /etc/rc.config.d/firewall2.rc.config. This will make sure that rp_filter is not turned on for any interface.
Please also note that to see any effect of above, you need to reboot or manually turn off rp_filter for all the interfaces. this is because when you started the firewall without ipsec0 listed, it turned on rp_filter on all the interfaces. With ipsec0 present, the script does not change the rp_filter flag. It retains its previous value, which is "1" as set by SuSEfirewall2 the first time. Cheers, -- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
Nadeem Hasan writes:
Please also note that to see any effect of above, you need to reboot or manually turn off rp_filter for all the interfaces.
Good advice, thanks Nadeem. I take it I can have multiple external interfaces listed in the firewall control file? (Just double-checking...) :-) Argentium
"Argentium G. Tiger" wrote:
Nadeem Hasan writes:
Please also note that to see any effect of above, you need to reboot or manually turn off rp_filter for all the interfaces.
Good advice, thanks Nadeem.
Welcome.
I take it I can have multiple external interfaces listed in the firewall control file? (Just double-checking...) :-)
Yes...separate them with a space. -- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
participants (2)
-
Argentium G. Tiger -
Nadeem Hasan