Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Problem with IPSec and SuSEfirewall2 SuSE-FW-ILLEGAL-TARGET
  • From: Benjamin P Myers <dative@xxxxxxxxxxxxxxxx>
  • Date: Mon, 3 Nov 2003 04:08:45 -0600
  • Message-id: <200311030408.46038.dative@xxxxxxxxxxxxxxxx>
I had some trouble getting this set up, too. I had overlooked FW_MASQ_DEV and
used the default which included all of the external interfaces. You don't
want to masq the stuff on ipsec0:

FW_MASQ_DEV="eth1"

Did the trick for me. I didn't have to mess with _updown, either. But this,
of course, I only realized after i did exactly what you've done to _updown.
Perhaps it would be good to add a note in the faq mentioning not to nat the
ipsec interface.

On Wednesday 29 October 2003 06:43 am, R. Peters wrote:
> Hi,
>
> after weeks of reading FAQ's, guides and everything I found about firewalls
> and FreeS/WAN I still have a big problem.
>
> But first I describe what is working and my network setup:
>
> roadwarrior
> (a.b.c.d)
>
> internet
>
> (d.e.f.g, static ip, ext. device, eth1, ipsec0)
> gateway with SuSE 8.2 and FreeS/WAN
> (10.10.11.3, int. device, eth0)
>
> (10.10.11.0/24, int. network)
> LAN
>
> IPSec connection between roadwarrior and gateway external device works
> without any problem.
>
> But no matter what I try, if I try to ping the gateway's internal device
> (10.10.11.3) or the internal network I always get
>
> SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT=
> MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x
> DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8
> CODE=0 ID=1280 SEQ=256
>
> *SRC=xxx.xxx.xxx.x is the adress of my roadwarrior
>
> I did set up the Firewall as described in
> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4:
>
> FW_DEV_EXT="eth1 ipsec0"
> FW_DEV_INT="eth0"
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_NETS="10.10.11.0/24"
> FW_SERVICES_EXT_UDP="500"
> FW_SERVICES_EXT_IP="50 51"
> FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d"

I had the problem of using nat and forgetting to take ipsec0 out of
FW_MASQ_DEV.

> a.b.c.d is the adress of my roadwarrior
>
> I left all other options default for testing the IPSec connections.
> Even without routing and masquerading I still get the error above and the
> above settings for routing
> forwarding and masquerading did not change anything.
>
> I also tried to make a custon updown script to be executed when ipsec0
> comes up, that didn't change
> anything too.
>
> If the firewall is disabled I can ping the gateway's internal device
> (10.10.11.3) from an external IPSec connection.
> With the firewall enabled I can only access the external device of the
> gateway - I cannot ping to the internal network.
>
> Any suggestions what I am doing wrong here?
> I guess I have to use a custom updown script that allows traffic between
> the roadwarrior and the internal network and
> is executed each time an IPSec connection comes up.
>
> I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error:
>
> up-client:)
> iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -d $PLUTO_PEER_CLIENT -j ACCEPT
> iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -s $PLUTO_PEER_CLIENT -j ACCEPT
> ;;
>
> down-client:)
> iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -d $PLUTO_PEER_CLIENT -j ACCEPT
> iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
> -s $PLUTO_PEER_CLIENT -j ACCEPT
> ;;
>
> I checked the Pluto variables at execution time of the script and
> ip-adresses represented by
> those were correct.
>
> I appreciate any suggestions, thanks in advance,
>
> R. Peters


< Previous Next >
Follow Ups