Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] packets still seem to be dropped not routed despiterp_filter=0
  • From: Philipp Rusch <Philipp.Rusch@xxxxxxxxxxxx>
  • Date: Thu, 11 Sep 2003 23:19:17 +0200
  • Message-id: <3F60E6D5.4661771F@xxxxxxxxxxxx>
Sorry guys,

totally dead brain today .. .;-)

ports are udp/500 (isakmp)
protocol is 50 if using ESP and 51 if using AH (this is optional, at least for me)

what about FW_ROUTE="yes" ?

other comments inline

Regards from Germany, Philipp

J J schrieb:

> --- SNIP ---

>
> This is an extract from my current /etc/sysconfig/SuSEfirewall2...
>
> FW_QUICKMODE="no"

> FW_DEV_EXT="ppp0"

I think you have to put ipsec0 here to EXT as well !

FW_DEV_INT="eth0 ipsec0"

> FW_DEV_DMZ=""
> FW_ROUTE="no"

should be "yes"

> FW_MASQUERADE="no"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS=""
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="smtp ssh"
> FW_SERVICES_EXT_UDP="isakmp"
> FW_SERVICES_EXT_IP="esp ah"
>
> Anyway I made a small amount of extra progress, at least in the way of
> ruling out problems. I decided to try connecting from the "jellybean"
> gateway itself to the "Bookman" LAN by creating adjusted entries in
> ipsec.conf and succeeded. Basically it worked right out of the box, I just
> removed the leftsubnet declarations on both sides - now the gateway can ping
> all the servers on the "Bookman" LAN and vice versa. This isn't the long
> term solution but does at least show that the boxes will talk to each other
> and send ipsec traffic correctly.
>
> Plus I toyed with the latest rdesktop and maybe I can persuade people to use
> that instead of Win 2k boxes with MSTSC client anyway! :) (ha!)
>
> But I'm still not sure why the SuSE 8.2 box is misbehaving and dropping my
> packets. Do you have any idea how I switch on debugging on the kernel
> routing code??
>

-- SNIP --

You know that there is a problem to ping the vpn-gateway machine itself ?
there is a trick (documented in a c't magazin article some days ago) to implement
iptables rules to route this icmp messages as well to simply "test the connection".

HTH, Philipp


< Previous Next >
References