Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
  • From: Nadeem Hasan <nhasan@xxxxxxxxx>
  • Date: Thu, 17 Jan 2002 17:56:43 -0500
  • Message-id: <3C4756AB.CC1EC9C7@xxxxxxxxx>
Hi,

I have since been successful in getting the setup running
with SuSEFirewall2, FreeS/WAN and SSH Sentinel using X.509
certificates. I am currently in the process of writing this
whole thing into a nice document. Wait for a couple of days :)

"Argentium G. Tiger" wrote:
>
> Nadeem Hasan <nhasan@xxxxxxxxx> writes (back in December 2001):
>
> >I am interested to know if anyone here has tried to build a VPN
> >setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to
> >subnet). I have been looking to do this but have not been able
> >to find any info about SuSEFirewall2 config changes for this.
>
> I'm in the middle of this with SuSE 7.3 which we installed on two machines,
> both of which are to run the very latest SuSEfirewall2 from Mark Heuse's
> page at http://www.suse.de/~marc
>
> I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm
> using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3
> FTP directory at gatech).
>
> Without the firewall enabled, it looks as if freeswan (ipsec) starts
> correctly. WITH the firewall enabled, here's what we get as an error
> message:
>
> ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route
> filtering turned on, KLIPS may not work
> ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0)
> ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
> ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
> ipsec_setup:
>
> This is, frankly, maddening. I need to get this VPN working between two
> office sites. The first is our office and I'm intending FreeS/WAN to run
> on the firewall in conjunction with SuSEfirewall2. This machine masquerades
> to our internal network of 192.168.1.0/24 on the internal leg on eth1.
> This works fine.
>
> The other end is inside of a client's internal network. Through a CISCO
> PIX firewall, they've locked an external real-ip to the machine's internal
> IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine
> from the outside world. This works wonderfully. There is only one ethernet
> card in here.
>
> The goal is to be able to use the machine at the client site to talk to a
> Microsoft sourcesafe server at an internal address of 10.100.0.17, such that
> all of us back at our office can directly hit the sourcesafe server at the
> client's site and develop from there.
>
> If I had much hair left, I'd be pulling it out. :-(
>
> Configs (with secret keys masked obviously) and configs are available upon
> request.
>
> Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE
> and SuSEFirewall2-2.1 ?
>
> With much hope that someone has,
> Argentium

--
Nadeem Hasan
nhasan@xxxxxxxxx
http://www.nadmm.com/

< Previous Next >
References