Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2, FreeS/WAN and VPN
  • From: "Argentium G. Tiger" <agtiger@xxxxxxxxx>
  • Date: Thu, 17 Jan 2002 16:09:23 -0600
  • Message-id: <5.1.0.14.2.20020117160918.031bd2b0@xxxxxxxxxxxxxxxxxxxx>
Nadeem Hasan <nhasan@xxxxxxxxx> writes (back in December 2001):


I am interested to know if anyone here has tried to build a VPN
setup using SuSEFirewall2 and FreeS/WAN in tunnel mode (host to
subnet). I have been looking to do this but have not been able
to find any info about SuSEFirewall2 config changes for this.

I'm in the middle of this with SuSE 7.3 which we installed on two machines,
both of which are to run the very latest SuSEfirewall2 from Mark Heuse's
page at http://www.suse.de/~marc

I'm using SuSE's 2.4.10 kernel (stock, no changes, pentium optimized). I'm
using freeswan from the same 7.3 install (which is an rsync Mirror of the 7.3
FTP directory at gatech).

Without the firewall enabled, it looks as if freeswan (ipsec) starts
correctly. WITH the firewall enabled, here's what we get as an error
message:

ipsec_setup: Starting FreeS/WAN IPsec 1.91...WARNING: ipsec0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/ipsec0/rp_filter = '1', should be 0)
ipsec_setup: WARNING: eth0 has route filtering turned on, KLIPS may not work
ipsec_setup: (/proc/sys/net/ipv4/conf/eth0/rp_filter = '1', should be 0)
ipsec_setup:

This is, frankly, maddening. I need to get this VPN working between two
office sites. The first is our office and I'm intending FreeS/WAN to run
on the firewall in conjunction with SuSEfirewall2. This machine masquerades
to our internal network of 192.168.1.0/24 on the internal leg on eth1.
This works fine.

The other end is inside of a client's internal network. Through a CISCO
PIX firewall, they've locked an external real-ip to the machine's internal
IP of 10.100.0.26, and opened up port 22 TCP for me to ssh into the machine
from the outside world. This works wonderfully. There is only one ethernet
card in here.

The goal is to be able to use the machine at the client site to talk to a
Microsoft sourcesafe server at an internal address of 10.100.0.17, such that
all of us back at our office can directly hit the sourcesafe server at the
client's site and develop from there.

If I had much hair left, I'd be pulling it out. :-(

Configs (with secret keys masked obviously) and configs are available upon
request.

Has *ANYONE* gotten FreeS/WAN 1.91 to work with SuSE 7.3, Kernel 2.4.10.SuSE
and SuSEFirewall2-2.1 ?

With much hope that someone has,
Argentium



Thanks.

cheers,
--
Nadeem Hasan
nhasan@xxxxxxxxx
http://www.nadmm.com/

--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx


< Previous Next >