Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
[Fwd: [suse-security] VPN and SuSEfirewall2]
  • From: Carsten Voigt <cvo@xxxxxxx>
  • Date: Thu, 27 Apr 2006 11:09:15 +0200
  • Message-id: <44508A3B.5090805@xxxxxxx>
Hi Jonathan,

I am not absolutely sure, how to interpret your "A can see B". But it sounds like "Ping from A to B is answered" or "A can see B's samba shares"?
In that case to me your problem seems to be at the "linksys"-side.

It is a stadard-behaviour of some firewalls, to let everything out of but only authorized things into the local network.
Some firewalls provide opportunities, to filter VPN-traffic like that, too.
Can it be, the linksys device does have filters, which keep the Linux-side from adressing services needed to "see" things behind the linksys?

It is a standard-behaviour of NAT-Routers to translate non-reserved ports proxy-vise (to the internet only the outside interfaces IP of the router is visible).
But all services of internal Servers have to be translated from local host IP and Port to Router's outside Interface's IP and Port.
Do your really have evidence, your connection "A to B" is going through the IPSec-tunnel?

Other possible problems might be, that the Linux-Router-Side can not resolve names or access directory services at the linksys side.
If you say "B does not see A" - do you mean, it does not find it by name or by IP?

--
Kind Regards

i.A. Carsten Voigt
bios ag (hrb-hh 73193)
brauhausstieg 15-17
d-22041 hamburg
fon +49 40 689 439 0
fax +49 40 689 439 39
cvo@xxxxxxx
www.bios.de

aufsichtsratsvorsitzender: wolfgang borchert
vorstand: ulrich kalthoff, heinrich zwiebelmann




-------- Original-Nachricht --------
Betreff: [suse-security] VPN and SuSEfirewall2
Datum: Thu, 27 Apr 2006 15:36:13 +0930
Von: Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
An: suse-security@xxxxxxxx



Please excuse me if this is not the correct forum for VPN and firewall issues on SuSE.
I am trying to setup an ipsec VPN between two private subnets, and I have run into a snag that I cannot resolve. The VPN establishes itself fine, and I can connect from any machine on the right subnet to any machine on the left subnet, but not vice versa.

Here's the setup:
192.168.1.0/24===a.a.a.a---b.b.b.b...c.c.c.c---d.d.d.d===192.168.200.0/24

"a.a.a.a" is the external interface of a SuSE 10.0 box which masquerades machines on the internal 192.168.1.0/24 subnet. "b.b.b.b" is its nexthop router.
"d.d.d.d" is the external interface of my home linksys AG241 DSL router. "c.c.c.c" is its nexthop router (at the ISP).
I have an ipsec, pre-shared key tunnel from a.a.a.a to d.d.d.d. The SuSE box is running it with OpenSwan, the linksys router is just set up via the normal linksys configuration (which may well be OpenSwan under the hood).
Everything works fine from right-to-left - ie all machines on the 192.168.200.0 subnet behind the linksys router can see all machines on the 192.168.1.0 subnet behind the SuSE box.
But nothing works from left-to right; neither the SuSE router box itself, nor from any machines on the 192.168.1.0 subnet behind it can see any machines on the 192.168.200.0 subnet at the other end of the tunnel.

This seems to me like it must be a routing problem, but I can't for the life of me work out how to fix it.
I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled forwarding between the two subnets by setting FW_FORWARD in /etc/sysconfig/SuSEfirewall2:
FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \ 192.168.200.0/24,192.168.1.0/24,,,ipsec"

I have explicitly disabled NAT of packets between the two subnets by adding the following line to the fw_custom_before_port_handling() section of /etc/sysconfig/scripts/SuSEfirewall2-custom:
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \! 192.168.200.0/24 -j MASQUERADE

the tunnel config in /etc/ipsec.conf looks like:
conn net-to-net
# Key exchange method
authby=secret
# Left security gateway, subnet behind it, nexthop toward right.
left=a.a.a.a
leftsubnet=192.168.1.0/24
leftnexthop=b.b.b.b
# Right security gateway, subnet behind it, nexthop toward left.
right=d.d.d.d
rightsubnet=192.168.200.0/24
rightnexthop=c.c.c.c
auto=start

Any suggestions?
Thanks,

Jonathan Baxter

--

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >
This Thread
  • No further messages