Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Fri, 18 Jan 2002 09:32:56 -0600
  • Message-id: <5.1.0.14.2.20020118093249.00ab1bc0@xxxxxxxxxxxxxxxxxxxx>
Nadeem Hasan writes:

I have since been successful in getting the setup running
with SuSEFirewall2, FreeS/WAN and SSH Sentinel using X.509
certificates. I am currently in the process of writing this
whole thing into a nice document. Wait for a couple of days :)

Many thanks... I'm looking forward to seeing how you got it working.
I need to keep looking at any and all options, because this _has_ to be
working by Monday morning. Failure means I'm holding up an entire office
from moving from one location to another, and that's the holdup I'd really
rather not continue to be the cause of.

So, further to that need, here's a bit more information given what I've
learned since yesterday (and many thanks to participants in this mailing
list, the fact that people are offering suggestions is _very_ much
appreciated. I don't feel quite so alone trying to tackle this giant.)

I've set up SSH (SSH-1.9.9-OpenSSH_2.9.9p2) with public keys such that the
machines can log into each other without any trouble.

I used ipsec rsakeysig to generate keys sufficient for my security
needs, and I've set up my ipsec.conf and ipsec.secrets files accordingly.

On the side where the firewall is actually active, I'm getting the error
that I documented last message:

ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0)
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)

I'm assuming this problem will dog me on both sides when I activate the
firewall/IPSEC machine on the inside of the CiscoPIX firewall on the 10.100.0.0/24 network.

And now to Markus' message:

> You must disable IP spoofing protection for ipsec to work properly.
>
> Something like that should do the job:
> echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

But where does that go, and when should they be executed? I tried putting
those in the /etc/rc.config.d/firewall2-custom.rc.config file in the
fw_custom_before_denyall() section at the end, and enabling the customized
command script in /etc/rc.config.d/firewall2.rc.config in section 25:

FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

With IPSEC not running, I activated the Firewall final portion:

/etc/init.d/SuSEfirewall2_final start

I get this error message:

/sbin/SuSEfirewall2: /proc/sys/net/ipv4/conf/ipsec0/rp_filter: No such file or directory

Okay... So ipsec0 doesn't exist without ipsec loaded. That makes sense.

So I reactivate ipsec:

/etc/init.d/ipsec start

It comes back with:

ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work.
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0)
ipsec_setup:

Okay, we're down to one error...

Do I need to re-run the firewall final portion of the script *again*?

From my perception, I have a chicken and the egg problem here. :-(
Which comes first?

Argentium



< Previous Next >
Follow Ups