Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
Nadeem Hasan <nhasan@nadmm.com> writes (back in December 2001):
I am interested to know if anyone here has tried to build a VPN setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to subnet). I have been looking to do this but have not been able to find any info about SuSEFirewall2 config changes for this.
I'm in the middle of this with SuSE 7.3 which we installed on two machines, both of which are to run the very latest SuSEfirewall2 from Mark Heuse's page at http://www.suse.de/~marc I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3 FTP directory at gatech). Without the firewall enabled, it looks as if freeswan (ipsec) starts correctly. WITH the firewall enabled, here's what we get as an error message: ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) ipsec_setup: This is, frankly, maddening. I need to get this VPN working between two office sites. The first is our office and I'm intending FreeS/WAN to run on the firewall in conjunction with SuSEfirewall2. This machine masquerades to our internal network of 192.168.1.0/24 on the internal leg on eth1. This works fine. The other end is inside of a client's internal network. Through a CISCO PIX firewall, they've locked an external real-ip to the machine's internal IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine from the outside world. This works wonderfully. There is only one ethernet card in here. The goal is to be able to use the machine at the client site to talk to a Microsoft sourcesafe server at an internal address of 10.100.0.17, such that all of us back at our office can directly hit the sourcesafe server at the client's site and develop from there. If I had much hair left, I'd be pulling it out. :-( Configs (with secret keys masked obviously) and configs are available upon request. Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE and SuSEFirewall2-2.1 ? With much hope that someone has, Argentium
Thanks.
cheers, -- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, I have since been successful in getting the setup running with SuSEFirewall2, FreeS/WAN and SSH Sentinel using X.509 certificates. I am currently in the process of writing this whole thing into a nice document. Wait for a couple of days :) "Argentium G. Tiger" wrote:
Nadeem Hasan <nhasan@nadmm.com> writes (back in December 2001):
I am interested to know if anyone here has tried to build a VPN setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to subnet). I have been looking to do this but have not been able to find any info about SuSEFirewall2 config changes for this.
I'm in the middle of this with SuSE 7.3 which we installed on two machines, both of which are to run the very latest SuSEfirewall2 from Mark Heuse's page at http://www.suse.de/~marc
I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3 FTP directory at gatech).
Without the firewall enabled, it looks as if freeswan (ipsec) starts correctly. WITH the firewall enabled, here's what we get as an error message:
ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) ipsec_setup:
This is, frankly, maddening. I need to get this VPN working between two office sites. The first is our office and I'm intending FreeS/WAN to run on the firewall in conjunction with SuSEfirewall2. This machine masquerades to our internal network of 192.168.1.0/24 on the internal leg on eth1. This works fine.
The other end is inside of a client's internal network. Through a CISCO PIX firewall, they've locked an external real-ip to the machine's internal IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine from the outside world. This works wonderfully. There is only one ethernet card in here.
The goal is to be able to use the machine at the client site to talk to a Microsoft sourcesafe server at an internal address of 10.100.0.17, such that all of us back at our office can directly hit the sourcesafe server at the client's site and develop from there.
If I had much hair left, I'd be pulling it out. :-(
Configs (with secret keys masked obviously) and configs are available upon request.
Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE and SuSEFirewall2-2.1 ?
With much hope that someone has, Argentium
-- Nadeem Hasan nhasan@nadmm.com http://www.nadmm.com/
Hi, ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
You must disable IP spoofing protection for ipsec to work properly. Something like that should do the job: echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter Bye Markus
* Markus Koellner wrote on Fri, Jan 18, 2002 at 00:52 +0100:
Without the firewall enabled, it looks as if freeswan (ipsec) starts correctly. WITH the firewall enabled, here's what we get as an error message:
I would call it warning message.
ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
You must disable IP spoofing protection for ipsec to work properly.
Could you explain "must"? Under what circumstances is this necessary? I have working VPN GWs with enabled rp_filter. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
You must disable IP spoofing protection for ipsec to work properly.
Could you explain "must"? Under what circumstances is this necessary? I have working VPN GWs with enabled rp_filter.
It *can* cause problems and maybe for you it is none but there is a risk. 217.13.4.32 0.0.0.0 255.255.255.0 U 0 0 0 eth1 217.13.4.32 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0 rp_filter authorizes the first route it can find which is on the eth1 interface in this example. But what about changing the sequence by bringing eth1 down and up again? This causes trouble for rp_filter. Bye Markus
Nadeem Hasan <nhasan@nadmm.com> writes (back in December 2001):
I am interested to know if anyone here has tried to build a VPN setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to subnet). I have been looking to do this but have not been able to find any info about SuSEFirewall2 config changes for this.
I'm in the middle of this with SuSE 7.3 which we installed on two machines, both of which are to run the very latest SuSEfirewall2 from Mark Heuse's page at http://www.suse.de/~marc
I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3 FTP directory at gatech).
Without the firewall enabled, it looks as if freeswan (ipsec) starts correctly. WITH the firewall enabled, here's what we get as an error message:
ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) ipsec_setup:
This is, frankly, maddening. I need to get this VPN working between two office sites. The first is our office and I'm intending FreeS/WAN to run on the firewall in conjunction with SuSEfirewall2. This machine masquerades to our internal network of 192.168.1.0/24 on the internal leg on eth1. This works fine.
The other end is inside of a client's internal network. Through a CISCO PIX firewall, they've locked an external real-ip to the machine's internal IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine from the outside world. This works wonderfully. There is only one ethernet card in here.
The goal is to be able to use the machine at the client site to talk to a Microsoft sourcesafe server at an internal address of 10.100.0.17, such
Hi, what's about the kernel parameter rp_filter?! There is for each network device a dir in /proc/sys/net/ipv4/conf/ ! And for IPSec it must be set to "0" (the default value, I think)!! The /sbin/SuSEfirewall2 script look at start time for ipsec devices (in v2.0 -> less +522 /sbin/SuSEfirewall2), but is there no IPSec device present the rp_filter parmeter ist set to "1"! May you want to set them all to "0": for i in /proc/sys/net/ipv4/conf/* ; do { echo "1" > $i/rp_filter ; } done ; If that dosen't help you can switch off the kernel security at #17 in /etc/rc.config.d/firewall2.rc.config. A litte bug on the /sbin/SuSEfirewall2 script is that the changes on the kernel parameteres are a one-way-ticket! Once set the script didn't roll it back to the original values if you stop/refresh/reload the firewall, so the only way I see is to reboot the machine (or roll back the values by hand ;-) btw. works IPSec correctly if you didn't start the firewall?! so long.... Kai PS remember: you CAN'T ping from one IPSec router to the other!!! You must use other IPs than the route IPs a source / target IPs for ping tests: http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#cantping PSS Very important (the real trick): http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#masq.faq Have a nice day.... EOT ----- Original Message ----- From: "Argentium G. Tiger" <agtiger@kc.rr.com> To: <suse-security@suse.com> Sent: Thursday, January 17, 2002 11:09 PM Subject: Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN 0) that
all of us back at our office can directly hit the sourcesafe server at the client's site and develop from there.
If I had much hair left, I'd be pulling it out. :-(
Configs (with secret keys masked obviously) and configs are available upon request.
Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE and SuSEFirewall2-2.1 ?
participants (5)
-
Argentium G. Tiger -
Kai-H. Weutzing -
Markus Koellner -
Nadeem Hasan -
Steffen Dettmer