Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
free/SWAN and SuSEfirewall2 (iptables)
  • From: Michael Boettjer <michael@xxxxxxxxxxxx>
  • Date: Mon, 09 Sep 2002 15:04:51 +0200
  • Message-id: <5.1.0.14.2.20020909141420.01dc4320@xxxxxxxxxxxxxxxxxxxxxxxx>
Hi,

i've problems to connect with a Roadwarrior (with a Dialup-Adapter only) to my network. But i think it would have to funktion.
The network begins at the firewall, which is running on SuSE 7.2 with SuSEfirewall2. The firewall is having 3 interfaces:
one goes into the DMZ, with private IP-Adresses (Range 192.168.52.0/24). SuSEfirewall is doing Port-Forwarding here.
The 2nd interface is connected with an other SuSE-7.0-Server (via X-Link-Cable), which is routing between 2 internal Subnets. All traffic from this Subnets toward firewall is maskeraded (Subnets 192.168.50.0/24 and 192.168.55.0/24). The Subnet between inner-router and firewall has the range 192.168.51.0/24.
The 3rd interface is having an official ip-adress.

So far, so good.

I try meanwhile for two weeks to successfully connect AND ping and connect to Server in the subnet 192.168.50 or .55 (behind the 2nd Linux-Router).
The VPN-Tunnel is established also (afaik), but nothing else happens. I can't reach on server. no Server in DMZ and no server in the inner-LAN behind the second Linux-Router. Also There are no logged drops or rejects from the firewall. See my logs:

-----------------

Sep 9 14:12:19 goofy Pluto[1003]: packet from 193.159.64.92:500: ignoring Ven
dor ID payload
Sep 9 14:12:19 goofy Pluto[1003]: "gio-warriors" #1: responding to Main Mode
from Road Warrior 193.159.64.92
Sep 9 14:12:19 goofy Pluto[1003]: "gio-warriors" #1: STATE_MAIN_R3: sent MR3,
ISAKMP SA established
Sep 9 14:12:20 goofy Pluto[1003]: "gio-warriors" #2: responding to Quick Mode
Sep 9 14:12:20 goofy Pluto[1003]: "gio-warriors" #2: STATE_QUICK_R2: IPsec SA
established

/root >iptables -L | grep "dialin"
ACCEPT all -- pC19F405C.dip.t-dialin.net 192.168.0.0/16
ACCEPT all -- 192.168.0.0/16 pC19F405C.dip.t-dialin.net

/root >ipsec look
gateway Mon Sep 9 14:14:27 CEST 2002
192.168.0.0/16 -> 193.159.64.92/32 => tun0x1002@xxxxxxxxxxxxx esp0x24dd43e
d@xxxxxxxxxxxxx
ipsec0->eth0 mtu=16260->1500
esp0x24dd43ed@xxxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=out src=195.90.31.11 iv_bits=
64bits iv=0x7010041f4bc4b10c ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=
add(127,0,0)
esp0x78a28da1@xxxxxxxxxxxx ESP_3DES_HMAC_MD5: dir=in src=193.159.64.92 iv_bits=
64bits iv=0x1e51283693e0a222 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=
add(127,0,0)
tun0x1001@xxxxxxxxxxxx IPIP: dir=in src=193.159.64.92 life(c,s,h)=add(127,0,0)
tun0x1002@xxxxxxxxxxxxx IPIP: dir=out src=190.91.41.11 life(c,s,h)=add(127,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 195.90.31.254 0.0.0.0 UG 40 0 0 eth0
193.159.64.92 190.91.41.254 255.255.255.255 UGH 40 0 0 ipsec0
190.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0
190.91.41.0 0.0.0.0 255.255.255.0 U 40 0 0 ipsec0

--------------------------

What is the matter?
I have edited the file /etc/rc.config.d/firewall2.rc.config as given (port 500 / udp, protocol 50, ipsec0 in field FW_EXT_DEV against rp_filter, etc....).
Further i'd setup a /usr/lib/ipsec/_updown_custom, with iptables-Rules as follows:

[...]
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT
iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
-s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT

;;
[...]

Where is the Problem?

Thanks in advance for help...i despair...



< Previous Next >
Follow Ups