Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] free/SWAN and SuSEfirewall2 (iptables)
  • From: Michael Boettjer <michael@xxxxxxxxxxxx>
  • Date: Mon, 09 Sep 2002 17:15:57 +0200
  • Message-id: <5.1.0.14.2.20020909171541.02a1e498@xxxxxxxxxxxxxxxxxxxxxxxx>
At 16:02 09.09.2002 +0200, you wrote:
> The Subnet between inner-router and firewall has the
> range 192.168.51.0/24.
> ...
> Destination Gateway Genmask Flags MSS Window irtt
Iface
> 0.0.0.0 195.90.31.254 0.0.0.0 UG 40 0 0
eth0
> 193.159.64.92 195.91.41.254 255.255.255.255 UGH 40 0 0
ipsec0
> 195.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0
eth0
> 195.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0
ipsec0

I can't find a route to the "inner router" in the subnet 192.168.51.0/24
given above. Can you ping the hosts in 192.168.0.0/16 from the firewall? If
not, then it won't possible through the VPN.

Mmh, here is my complete Routing-Table of the Firewall:

/root >route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.50.99 192.168.51.99 255.255.255.255 UGH 0 0 0 eth1
62.157.67.137 195.91.41.254 255.255.255.255 UGH 0 0 0 ipsec0
192.168.52.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
195.91.41.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
195.91.41.0 0.0.0.0 255.255.255.0 U 0 0 0 ipsec0
192.168.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
127.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 lo
0.0.0.0 195.91.41.254 0.0.0.0 UG 0 0 0 eth0

First i want to (to the beginning) ping or "net use" the inner router (192.168.51.99) only.
this functions. i can ping the router or telnet on port 139 from the firewall without problems.
but not from the roadwarrior.

>up-client:)
> # connection to my client subnet coming up
> # If you are doing a custom version, firewall commands go here.
> iptables -I FORWARD 1 -s
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j
ACCEPT
> iptables -I FORWARD 1 -d
$PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j
ACCEPT
Did you configure the left/right-protoports in ipsec.conf?
Maybe you can post your ipsec.conf.

Protoports? Here is the ipsec.conf from the firewall:

config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=no

conn %default
keyingtries=1
type=tunnel

conn warriors
left=0.0.0.0
leftsubnet=
leftnexthop=
right=195.91.41.11
rightsubnet=192.168.0.0/16
rightnexthop=195.91.41.254
rightupdown=/usr/lib/ipsec/_updown_custom
compress=yes
keyexchange=ike
pfs=yes
authby=secret
auto=add

As client i'm using a win2k-Notebook and the ipsec-Implementation of it.
The Tunnel-Configuration is read from this ipsec.conf-File:

conn %default
dial=vpn

conn warriors
left=%any
right=195.91.41.11
rightsubnet=192.168.0.0/16
presharedkey=...
network=ras
auto=start
pfs=yes

`iptables -L -nv` shows the packet counter of the rules. You can check, if
the rules are hit.

tcpdump is always a big help to see, if packets leave or arrive at your
firewall.

it's not installed for security reasons... ;-))
i will do that next.

any ideas?

Thank you very much,
Michael


< Previous Next >
This Thread
  • No further messages