packets still seem to be dropped not routed despite rp_filter=0
I'm trying to set up a VPN from "home" LAN to "bookman" LAN. I've set up Freeswan successfully and it *appears* to be doing it's job but still packets aren't getting through. I suspect that routing isn't working for some reason and I've reached the limit of my security knowledge. Can anyone help? The set up is this: "Bookman" LAN is subnet 192.168.0.0/24 with Ipsec gateway "flanger" on IP address 192.168.0.127. "Bookman" LAN connects to internet via ADSL ("Vigor") router that has "Ipsec passthru". In terms of configuration this means that I've switched off the "Vigor" router's built-in Ipsec processing and set UDP on port 500 to forward direct to "flanger" on 192.168.0.127. The router's software is set to recognize this combination as a signal to switch on Ipsec passthru so that protocols 50 and 51 are also forwarded to the same internal box. (We've successfully set up and used an SA to a "Fortigate" router based on this through to another company "SGPM" and we use that VPN for production purposes. It's fast and stable and has impressed management!) "Home" LAN is subnet 192.168.10.0/24 with Ipsec gateway "jellybean" on external IP address 217.... (hidden for privacy - if that's me being silly I'm happy to reveal it!). The "home" gateway has an ethernet card on 192.168.10.1 with a hub connected to that and (at present) one test laptop connected to the hub running Win 2k. Ipsec gateway on "Bookman" LAN ("flanger") is running SuSE 7.2 and our gateway here ("jellybean") is running SuSE 8.2 (these seem to be Freeswan 1.91 and 1.99 respectively). The idea is to have a VPN connecting PCs and laptops on the "home" LAN to the servers on the "Bookman" LAN in production. Progress so far: With a small amount of tinkering I managed to get the two pluto daemons to talk and agree an SA but was unable to ping servers on the "Bookman" LAN from either our gateway or our test laptop. After help from Rob Maurizzi on this mailing list I managed to get KLIPS debugging and found that, rather boringly, the gateway was unable to ping Bookman servers because packets were being seen by KLIPS as coming from the WAN address of the router (217....) and so had no eroute and were dropped - this was clearly visible in the stats on ifconfig, which helped. Problem: However this didn't explain why the laptop couldn't reach the Bookman LAN. My initial thought was that routing needed to be switched on. The box is configured as a firewall with a SQUID proxy so the "home" LAN can access the www. SuSEfirewall2 is running to prevent malicious attacks but allow Ipsec traffic. Config is basically - allow external TCP service "ssh" plus external UDP service "isakmp" plus external IP protocols "ah" and "esp", do not protect from internal network, reject rather than drop packets (temporary for debug) and log all dropped packets (temporary for debug). When I ping from the Win 2k laptop to a Bookman server I see nothing in the firewall logs, nothing in KLIPS debug. I see packets arriving on eth0 but nothing on ipsec0 or ppp0 (the WAN interface). echo "1" > /proc/sys/net/ipv4/ip_forward makes no difference cat /proc/sys/net/ipv4/conf/*/forwarding gives "1"s for all devices and worse cat /proc/sys/net/ipv4/conf/*/rp_filter gives "0"s for all devices! Outputs:jellybean:~ # rcipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: ipsec ipsec_setup: done jellybean:~ # ipsec auto --up jellybean-bookman 104 "jellybean-bookman" #1: STATE_MAIN_I1: initiate 106 "jellybean-bookman" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "jellybean-bookman" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "jellybean-bookman" #1: STATE_MAIN_I4: ISAKMP SA established 112 "jellybean-bookman" #2: STATE_QUICK_I1: initiate 004 "jellybean-bookman" #2: STATE_QUICK_I2: sent QI2, IPsec SA established jellybean:~ # ip route ls 213.123.101.97 dev ppp0 proto kernel scope link src 217.24.128.146 213.123.101.97 dev ipsec0 proto kernel scope link src 217.24.128.146 192.168.0.0/24 via 213.123.101.97 dev ipsec0 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1 default via 213.123.101.97 dev ppp0 jellybean:~ # ip rule ls 0: from all lookup local 32766: from all lookup main 32767: from all lookup default jellybean:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0 192.168.0.0 213.123.101.97 255.255.255.0 UG 0 0 0 ipsec0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 213.123.101.97 0.0.0.0 UG 0 0 0 ppp0 jellybean:~ # jellybean:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:40:95:30:5C:79 inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:53 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:8692 (8.4 Kb) Interrupt:5 Base address:0xc000 ipsec0 Link encap:IPIP Tunnel HWaddr inet addr:217.24.128.146 Mask:255.255.255.255 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2056 (2.0 Kb) TX bytes:2056 (2.0 Kb) ppp0 Link encap:Point-to-Point Protocol inet addr:217.24.128.146 P-t-P:213.123.101.97 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:886 errors:0 dropped:0 overruns:0 frame:0 TX packets:957 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:375562 (366.7 Kb) TX bytes:107243 (104.7 Kb) jellybean:~ # (OK so I capitulated - u can see my wan address - hey, I trust SuSEfirewall2 !! :) ) (Note eth0 stats aren't accurate at the moment, i just created this quickly before rushing to a meeting.) Does anyone know what happened to my packets?!? Regards, Carl _________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
Hi Carl, You are victim of a very common misunderstanding concerning IPSEC and the setup of the firewall .... ;-) Not PORT 500 is needed to setup the tunnel (after negotiation of SA has been done), but PROTOCOL (!!!) 500, which you have to put in the firewall to be allowed through interface ipsec0 (add this to FW_DEV_EXT). Since I do not use SuSE firewall anymore (there are better scripts for iptables) I am not a 100% sure, but I remember that you have to set this in SuSEfirewall2-file as variable FW_SERVICES_EXT_IP = 500. HTH, Philipp J J schrieb:
I'm trying to set up a VPN from "home" LAN to "bookman" LAN. I've set up Freeswan successfully and it *appears* to be doing it's job but still packets aren't getting through. I suspect that routing isn't working for some reason and I've reached the limit of my security knowledge.
Can anyone help?
The set up is this: "Bookman" LAN is subnet 192.168.0.0/24 with Ipsec gateway "flanger" on IP address 192.168.0.127. "Bookman" LAN connects to internet via ADSL ("Vigor") router that has "Ipsec passthru". In terms of configuration this means that I've switched off the "Vigor" router's built-in Ipsec processing and set UDP on port 500 to forward direct to "flanger" on 192.168.0.127. The router's software is set to recognize this combination as a signal to switch on Ipsec passthru so that protocols 50 and 51 are also forwarded to the same internal box.
(We've successfully set up and used an SA to a "Fortigate" router based on this through to another company "SGPM" and we use that VPN for production purposes. It's fast and stable and has impressed management!)
"Home" LAN is subnet 192.168.10.0/24 with Ipsec gateway "jellybean" on external IP address 217.... (hidden for privacy - if that's me being silly I'm happy to reveal it!). The "home" gateway has an ethernet card on 192.168.10.1 with a hub connected to that and (at present) one test laptop connected to the hub running Win 2k.
Ipsec gateway on "Bookman" LAN ("flanger") is running SuSE 7.2 and our gateway here ("jellybean") is running SuSE 8.2 (these seem to be Freeswan 1.91 and 1.99 respectively).
The idea is to have a VPN connecting PCs and laptops on the "home" LAN to the servers on the "Bookman" LAN in production.
Progress so far: With a small amount of tinkering I managed to get the two pluto daemons to talk and agree an SA but was unable to ping servers on the "Bookman" LAN from either our gateway or our test laptop. After help from Rob Maurizzi on this mailing list I managed to get KLIPS debugging and found that, rather boringly, the gateway was unable to ping Bookman servers because packets were being seen by KLIPS as coming from the WAN address of the router (217....) and so had no eroute and were dropped - this was clearly visible in the stats on ifconfig, which helped.
Problem: However this didn't explain why the laptop couldn't reach the Bookman LAN. My initial thought was that routing needed to be switched on. The box is configured as a firewall with a SQUID proxy so the "home" LAN can access the www. SuSEfirewall2 is running to prevent malicious attacks but allow Ipsec traffic. Config is basically - allow external TCP service "ssh" plus external UDP service "isakmp" plus external IP protocols "ah" and "esp", do not protect from internal network, reject rather than drop packets (temporary for debug) and log all dropped packets (temporary for debug).
When I ping from the Win 2k laptop to a Bookman server I see nothing in the firewall logs, nothing in KLIPS debug. I see packets arriving on eth0 but nothing on ipsec0 or ppp0 (the WAN interface).
echo "1" > /proc/sys/net/ipv4/ip_forward makes no difference
cat /proc/sys/net/ipv4/conf/*/forwarding gives "1"s for all devices and worse
cat /proc/sys/net/ipv4/conf/*/rp_filter gives "0"s for all devices!
Outputs:jellybean:~ # rcipsec start ipsec_setup: Starting FreeS/WAN IPsec 1.99... ipsec_setup: ipsec ipsec_setup: done jellybean:~ # ipsec auto --up jellybean-bookman 104 "jellybean-bookman" #1: STATE_MAIN_I1: initiate 106 "jellybean-bookman" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "jellybean-bookman" #1: STATE_MAIN_I3: sent MI3, expecting MR3 004 "jellybean-bookman" #1: STATE_MAIN_I4: ISAKMP SA established 112 "jellybean-bookman" #2: STATE_QUICK_I1: initiate 004 "jellybean-bookman" #2: STATE_QUICK_I2: sent QI2, IPsec SA established jellybean:~ # ip route ls 213.123.101.97 dev ppp0 proto kernel scope link src 217.24.128.146 213.123.101.97 dev ipsec0 proto kernel scope link src 217.24.128.146 192.168.0.0/24 via 213.123.101.97 dev ipsec0 192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.1 default via 213.123.101.97 dev ppp0 jellybean:~ # ip rule ls 0: from all lookup local 32766: from all lookup main 32767: from all lookup default jellybean:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 213.123.101.97 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0 192.168.0.0 213.123.101.97 255.255.255.0 UG 0 0 0 ipsec0 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 213.123.101.97 0.0.0.0 UG 0 0 0 ppp0 jellybean:~ # jellybean:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:40:95:30:5C:79 inet addr:192.168.10.1 Bcast:192.168.10.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:53 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:8692 (8.4 Kb) Interrupt:5 Base address:0xc000
ipsec0 Link encap:IPIP Tunnel HWaddr inet addr:217.24.128.146 Mask:255.255.255.255 UP RUNNING NOARP MTU:16260 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:32 errors:0 dropped:0 overruns:0 frame:0 TX packets:32 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2056 (2.0 Kb) TX bytes:2056 (2.0 Kb)
ppp0 Link encap:Point-to-Point Protocol inet addr:217.24.128.146 P-t-P:213.123.101.97 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:886 errors:0 dropped:0 overruns:0 frame:0 TX packets:957 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:375562 (366.7 Kb) TX bytes:107243 (104.7 Kb)
jellybean:~ #
(OK so I capitulated - u can see my wan address - hey, I trust SuSEfirewall2 !! :) ) (Note eth0 stats aren't accurate at the moment, i just created this quickly before rushing to a meeting.)
Does anyone know what happened to my packets?!?
Regards, Carl
_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (2)
-
J J -
Philipp Rusch