Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
packets still seem to be dropped not routed despite rp_filter=0
  • From: "J J" <c_peto@xxxxxxxxxxx>
  • Date: Thu, 11 Sep 2003 10:50:30 +0000
  • Message-id: <Sea2-F38KX9ssssGKeD000033e8@xxxxxxxxxxx>
I'm trying to set up a VPN from "home" LAN to "bookman" LAN.
I've set up Freeswan successfully and it *appears* to be doing it's job but
still packets aren't getting through. I suspect that routing isn't working for
some reason and I've reached the limit of my security knowledge.

Can anyone help?

The set up is this:
"Bookman" LAN is subnet with Ipsec gateway "flanger" on
IP address "Bookman" LAN connects to internet via ADSL ("Vigor")
router that has "Ipsec passthru". In terms of configuration this means that
I've switched off the "Vigor" router's built-in Ipsec processing and set UDP
on port 500 to forward direct to "flanger" on The router's
software is set to recognize this combination as a signal to switch on Ipsec
passthru so that protocols 50 and 51 are also forwarded to the same internal

(We've successfully set up and used an SA to a "Fortigate" router based on this
through to another company "SGPM" and we use that VPN for production purposes.
It's fast and stable and has impressed management!)

"Home" LAN is subnet with Ipsec gateway "jellybean" on external
IP address 217.... (hidden for privacy - if that's me being silly I'm happy to
reveal it!). The "home" gateway has an ethernet card on with a
hub connected to that and (at present) one test laptop connected to the hub
running Win 2k.

Ipsec gateway on "Bookman" LAN ("flanger") is running SuSE 7.2 and our gateway
here ("jellybean") is running SuSE 8.2 (these seem to be Freeswan 1.91 and 1.99

The idea is to have a VPN connecting PCs and laptops on the "home" LAN to the
servers on the "Bookman" LAN in production.

Progress so far:
With a small amount of tinkering I managed to get the two pluto daemons to talk
and agree an SA but was unable to ping servers on the "Bookman" LAN from
either our gateway or our test laptop. After help from Rob Maurizzi on this
mailing list I managed to get KLIPS debugging and found that, rather boringly,
the gateway was unable to ping Bookman servers because packets were being seen
by KLIPS as coming from the WAN address of the router (217....) and so had no
eroute and were dropped - this was clearly visible in the stats on ifconfig,
which helped.

However this didn't explain why the laptop couldn't reach the Bookman LAN. My
initial thought was that routing needed to be switched on. The box is
configured as a firewall with a SQUID proxy so the "home" LAN can access the
www. SuSEfirewall2 is running to prevent malicious attacks but allow Ipsec
traffic. Config is basically - allow external TCP service "ssh" plus external
UDP service "isakmp" plus external IP protocols "ah" and "esp", do not protect
from internal network, reject rather than drop packets (temporary for debug)
and log all dropped packets (temporary for debug).

When I ping from the Win 2k laptop to a Bookman server I see nothing in the
firewall logs, nothing in KLIPS debug. I see packets arriving on eth0 but
nothing on ipsec0 or ppp0 (the WAN interface).

echo "1" > /proc/sys/net/ipv4/ip_forward makes no difference

cat /proc/sys/net/ipv4/conf/*/forwarding gives "1"s for all devices and worse

cat /proc/sys/net/ipv4/conf/*/rp_filter gives "0"s for all devices!

Outputs:jellybean:~ # rcipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: ipsec
ipsec_setup: done
jellybean:~ # ipsec auto --up jellybean-bookman
104 "jellybean-bookman" #1: STATE_MAIN_I1: initiate
106 "jellybean-bookman" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "jellybean-bookman" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "jellybean-bookman" #1: STATE_MAIN_I4: ISAKMP SA established
112 "jellybean-bookman" #2: STATE_QUICK_I1: initiate
004 "jellybean-bookman" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
jellybean:~ # ip route ls dev ppp0 proto kernel scope link src dev ipsec0 proto kernel scope link src via dev ipsec0 dev eth0 proto kernel scope link src
default via dev ppp0
jellybean:~ # ip rule ls
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
jellybean:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface UH 0 0 0 ppp0 UH 0 0 0 ipsec0 UG 0 0 0 ipsec0 U 0 0 0 eth0 UG 0 0 0 ppp0
jellybean:~ #
jellybean:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:40:95:30:5C:79
inet addr: Bcast: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:8692 (8.4 Kb)
Interrupt:5 Base address:0xc000

ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Link encap:Local Loopback
inet addr: Mask:
RX packets:32 errors:0 dropped:0 overruns:0 frame:0
TX packets:32 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2056 (2.0 Kb) TX bytes:2056 (2.0 Kb)

ppp0 Link encap:Point-to-Point Protocol
inet addr: P-t-P: Mask:
RX packets:886 errors:0 dropped:0 overruns:0 frame:0
TX packets:957 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:3
RX bytes:375562 (366.7 Kb) TX bytes:107243 (104.7 Kb)

jellybean:~ #

(OK so I capitulated - u can see my wan address - hey, I trust SuSEfirewall2 !! :) )
(Note eth0 stats aren't accurate at the moment, i just created this quickly before
rushing to a meeting.)

Does anyone know what happened to my packets?!?


Tired of 56k? Get a FREE BT Broadband connection

< Previous Next >
This Thread
Follow Ups