Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
Hi,

what's about the kernel parameter rp_filter?! There is for each network
device a dir in /proc/sys/net/ipv4/conf/ !
And for IPSec it must be set to "0" (the default value, I think)!! The
/sbin/SuSEfirewall2 script look at start time for ipsec devices (in v2.0 ->
less +522 /sbin/SuSEfirewall2), but is there no IPSec device present the
rp_filter parmeter ist set to "1"!
May you want to set them all to "0":
for i in /proc/sys/net/ipv4/conf/* ; do { echo "1" > $i/rp_filter ; } done ;

If that dosen't help you can switch off the kernel security at #17 in
/etc/rc.config.d/firewall2.rc.config.

A litte bug on the /sbin/SuSEfirewall2 script is that the changes on the
kernel parameteres are a one-way-ticket! Once set the script didn't roll it
back to the original values if you stop/refresh/reload the firewall, so the
only way I see is to reboot the machine (or roll back the values by hand ;-)

btw. works IPSec correctly if you didn't start the firewall?!

so long.... Kai

PS remember: you CAN'T ping from one IPSec router to the other!!! You must
use other IPs than the route IPs a source / target IPs for ping tests:
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#cantping

PSS Very important (the real trick):
http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/faq.html#masq.faq

Have a nice day....

EOT

----- Original Message -----
From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
To: <suse-security@xxxxxxxx>
Sent: Thursday, January 17, 2002 11:09 PM
Subject: Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN


> Nadeem Hasan <nhasan@xxxxxxxxx> writes (back in December 2001):
>
> >I am interested to know if anyone here has tried to build a VPN
> >setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to
> >subnet). I have been looking to do this but have not been able
> >to find any info about SuSEFirewall2 config changes for this.
>
> I'm in the middle of this with SuSE 7.3 which we installed on two
machines,
> both of which are to run the very latest SuSEfirewall2 from Mark Heuse's
> page at http://www.suse.de/~marc
>
> I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized).
I'm
> using freeswan from the same 7.3 install (which is an rsync Mirror of the
7.3
> FTP directory at gatech).
>
> Without the firewall enabled, it looks as if freeswan (ipsec) starts
> correctly. WITH the firewall enabled, here's what we get as an error
> message:
>
> ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route
> filtering turned on, KLIPS may not work
> ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be
0)
> ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not
work
> ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
> ipsec_setup:
>
> This is, frankly, maddening. I need to get this VPN working between two
> office sites. The first is our office and I'm intending FreeS/WAN to run
> on the firewall in conjunction with SuSEfirewall2. This machine
masquerades
> to our internal network of 192.168.1.0/24 on the internal leg on eth1.
> This works fine.
>
> The other end is inside of a client's internal network. Through a CISCO
> PIX firewall, they've locked an external real-ip to the machine's internal
> IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the
machine
> from the outside world. This works wonderfully. There is only one
ethernet
> card in here.
>
> The goal is to be able to use the machine at the client site to talk to a
> Microsoft sourcesafe server at an internal address of 10.100.0.17, such
that
> all of us back at our office can directly hit the sourcesafe server at the
> client's site and develop from there.
>
> If I had much hair left, I'd be pulling it out. :-(
>
> Configs (with secret keys masked obviously) and configs are available upon
> request.
>
> Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel
2.4.10.SuSE
> and SuSEFirewall2-2.1 ?
>



< Previous Next >
References