Nadeem Hasan writes:
I have since been successful in getting the setup running with SuSEFirewall2, FreeS/WAN and SSH Sentinel using X.509 certificates. I am currently in the process of writing this whole thing into a nice document. Wait for a couple of days :)
Many thanks... I'm looking forward to seeing how you got it working. I need to keep looking at any and all options, because this _has_ to be working by Monday morning. Failure means I'm holding up an entire office from moving from one location to another, and that's the holdup I'd really rather not continue to be the cause of. So, further to that need, here's a bit more information given what I've learned since yesterday (and many thanks to participants in this mailing list, the fact that people are offering suggestions is _very_ much appreciated. I don't feel quite so alone trying to tackle this giant.) I've set up SSH (SSH-1.9.9-OpenSSH_2.9.9p2) with public keys such that the machines can log into each other without any trouble. I used ipsec rsakeysig to generate keys sufficient for my security needs, and I've set up my ipsec.conf and ipsec.secrets files accordingly. On the side where the firewall is actually active, I'm getting the error that I documented last message: ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0) I'm assuming this problem will dog me on both sides when I activate the firewall/IPSEC machine on the inside of the CiscoPIX firewall on the 10.100.0.0/24 network. And now to Markus' message:
You must disable IP spoofing protection for ipsec to work properly.
Something like that should do the job: echo 0 > /proc/sys/net/ipv4/conf/ipsec0/rp_filter echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
But where does that go, and when should they be executed? I tried putting those in the /etc/rc.config.d/firewall2-custom.rc.config file in the fw_custom_before_denyall() section at the end, and enabling the customized command script in /etc/rc.config.d/firewall2.rc.config in section 25: FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" With IPSEC not running, I activated the Firewall final portion: /etc/init.d/SuSEfirewall2_final start I get this error message: /sbin/SuSEfirewall2: /proc/sys/net/ipv4/conf/ipsec0/rp_filter: No such file or directory Okay... So ipsec0 doesn't exist without ipsec loaded. That makes sense. So I reactivate ipsec: /etc/init.d/ipsec start It comes back with: ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work. ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0) ipsec_setup: Okay, we're down to one error... Do I need to re-run the firewall final portion of the script *again*? From my perception, I have a chicken and the egg problem here. :-( Which comes first? Argentium