Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
VPN and SuSEfirewall2
  • From: Jonathan Baxter <jbaxter@xxxxxxxxxxxxx>
  • Date: Thu, 27 Apr 2006 15:36:13 +0930
  • Message-id: <200604271536.13792.jbaxter@xxxxxxxxxxxxx>
Please excuse me if this is not the correct forum for VPN and firewall issues
on SuSE.

I am trying to setup an ipsec VPN between two private subnets, and I have run
into a snag that I cannot resolve. The VPN establishes itself fine, and I can
connect from any machine on the right subnet to any machine on the left
subnet, but not vice versa.

Here's the setup:

192.168.1.0/24===a.a.a.a---b.b.b.b...c.c.c.c---d.d.d.d===192.168.200.0/24

"a.a.a.a" is the external interface of a SuSE 10.0 box which masquerades
machines on the internal 192.168.1.0/24 subnet. "b.b.b.b" is its nexthop
router.

"d.d.d.d" is the external interface of my home linksys AG241 DSL router.
"c.c.c.c" is its nexthop router (at the ISP).

I have an ipsec, pre-shared key tunnel from a.a.a.a to d.d.d.d. The SuSE box
is running it with OpenSwan, the linksys router is just set up via the normal
linksys configuration (which may well be OpenSwan under the hood).

Everything works fine from right-to-left - ie all machines on the
192.168.200.0 subnet behind the linksys router can see all machines on the
192.168.1.0 subnet behind the SuSE box.

But nothing works from left-to right; neither the SuSE router box itself, nor
from any machines on the 192.168.1.0 subnet behind it can see any machines on
the 192.168.200.0 subnet at the other end of the tunnel.

This seems to me like it must be a routing problem, but I can't for the life
of me work out how to fix it.

I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled
forwarding between the two subnets by setting FW_FORWARD
in /etc/sysconfig/SuSEfirewall2:

FW_FORWARD="192.168.1.0/24,192.168.200.0/24,,,ipsec \
192.168.200.0/24,192.168.1.0/24,,,ipsec"

I have explicitly disabled NAT of packets between the two subnets by adding
the following line to the fw_custom_before_port_handling() section
of /etc/sysconfig/scripts/SuSEfirewall2-custom:

iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \!
192.168.200.0/24 -j MASQUERADE

the tunnel config in /etc/ipsec.conf looks like:

conn net-to-net
# Key exchange method
authby=secret
# Left security gateway, subnet behind it, nexthop toward right.
left=a.a.a.a
leftsubnet=192.168.1.0/24
leftnexthop=b.b.b.b
# Right security gateway, subnet behind it, nexthop toward left.
right=d.d.d.d
rightsubnet=192.168.200.0/24
rightnexthop=c.c.c.c
auto=start

Any suggestions?

Thanks,

Jonathan Baxter

< Previous Next >
Follow Ups