Hi,
we have a problem with SuSEfirewall2 (2.1) and IPSEC FreeSwan (1.98) running on SuSE 7.3 (2.4.10)
The isakmp handshake goes okay, but incomming ESP packets are dropped:
Jul 17 08:17:51 camelopardalis kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=10.39.1.8 DST=192.168.2.2 LEN=84 TOS=0x00 P REC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=25931 SEQ=37814 Jul 17 08:17:52 camelopardalis kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=10.39.1.8 DST=192.168.2.2 LEN=84 TOS=0x00 P REC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=25931 SEQ=38070
camelopardalis has 2 interfaces 212.206.243.123 (eth0) and 192.168.1.1 (eth0) if i start the firewall with "test" i see he would like to drop the packets but lets them pass for the test, everything works wonderfull but i hate to have a firewall down.
What do i need to add in the config file ?
camelopardalis:/etc/sysconfig # cat SuSEfirewall2 | grep -v ^# |grep FW FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.2.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="www smtp ssh domain" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="www smtp ssh domain" FW_SERVICES_INT_UDP="500" FW_SERVICES_INT_IP="50 51" FW_TRUSTED_NETS="192.168.2.0/24 10.39.0.0/16" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"
Met vriendelijke groet / Mit freundlichen Grüßen / Kind Regards,
H.J. ten Berge Test Engineer Holland Institute of Traffic Technology HITT B.V. P.O. box 717 Apeldoorn the Netherlands E-Mail: mailto:berge@hitt.nl Word Wide Web: http://www.hitt.nl tel : +31 555432537 fax : +31 555432554