Hi All,
I have been a happy LRP and LEAF user for a number of years now. Thanks for
all the great work! I started messing with LRP for fun and began production
use at some offices with LRP 2.9.4. The offices have been updated over the
years, moving up through Dachstein and Eiger and using Bering most recently.
Fantastic stuff that just works! My best uptime so far has been about 380
days! Nice! Anyway, I've been recently asked to provide some VPN
functionality at a couple of offices that are running Bering. I've done a
bit of research and spent a bit of time trying to get a working setup on the
bench. I can't seem to get past a couple of hitches and it is time to ask
the community for a bit of help. I'm certain that it it is my inexperience
with IPSec that is causing the problems, so hopefully it will be a quick bit
of advice that will put me back on track.
At this point, I have eleminated all of the errors that displayed on the
console during the startup phase. When I try to start the VPN connection
from the command line with "ipsec auto --up vpn_jim" (vpn_jim is the name of
my vpn tunnel, I think), I get "whack: Pluto is not running (no
"var/run/pluto.ctl")" as the response. I get that message for most anything
that I type that starts with ipsec. When I look in /var/log/daemon.log, I
can see a line that says "ipsec__plutorun: !pluto failure: exited with error
status 1". When I look in /var/log/auth.log, I can see a line that says
"pluto[31029]: FATAL ERROR: unable to malloc 0 bytes for cert". The few
previous lines mentioned loading the cacert file and the crl file. There is
nothing in the process list about pluto, so I think it's dead.
Anybody got any suggestions?
Thanks!
Jim Walters
(952) 474-9215
Here's the bench setup (forgive the bad ASCII art):
+-----------------+
| existing |
| Bering router +----------------- to
cable modem
| v1.0, I think |
+-------+---------+
|
10.0.0.1/24 |
|
+---------+-------------+
+---------------------+ netgear switch
+--------------------+
| +---------+-------------+
|
| 10.0.0.4 | 10.0.0.25
| 10.0.0.3
+------+--------+ +-------+---------+
+--------+--------+
| fw_left | | test PC 3 | |
fw_right |
+------+--------+ +-----------------+
+--------+--------+
| 192.168.1.1/24
| 192.168.0.1/24
|
|
| 192.168.1.2
| 192.168.0.2
+------+--------+
+--------+--------+
| test PC 1 | | test
PC 2 |
+---------------+
+-----------------+
Hardware description of the routers:
Each of the three routers in the picture (existing Bering router, fw_left,
and fw_right) are identical hardware. They are Siemens small form factor
PCs with a C8/233 MHz processor, 64M RAM, 32M Flash Disk in PCMCIA to IDE
adapters, Dual Intel Pro100 NICs, standard VGA and keyboard. Nice little
units for playing with router stuff, useless for most anything else. They
have a free PCI slot (after the NICs are installed) and USB, but I've yet to
find the time to add wireless capability and play with those functions at
all. Maybe soon!
Software Description:
The existing Bering router is running an older Bering version, about 1.0,
but I'm not sure. Once I get the new stuff running, it will be upgraded. I
have enough memory cards that I can play with new versions and if it goes
bonk just slide the working version back in. A nice feature that will
hopefully guarantee the ability to roll back to a working config. I also
thought it might be optimistic of me to reconfigure my one working gateway
to the internet.
I've played with both Bering 1.2 and Bering uClibc 2.2 beta 2 on the test
firewall units and gotten similar results with both versions. That's what
is leading me to believe that I am not understanding something about the
configuration. Each time I google for variations on "bering, linux, VPN,
leaf, ipsec, ... etc" I find a juicy piece of information that gets me
closer to a working config, but I'm mostly out of juice at this point. I've
focused most of my energy on the Bering uClibc 2.2 beta 2, but I'm willing
to try most any version if someone thinks that they know what I'm doing
wrong.
Configuration Data (tried to do it like the support page said):
# uname -a
Linux fw_left 2.4.24 #18 Sat Apr 24 10:07:53 CEST 2004 i586 unknown
# ip addr show
2: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
2: dummy0: <BROADCAST,NOARP> mtu 1500 qdisc noop
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.4/24 brd 10.0.0.255 scope global eth0
4: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:a0:c9:39:13:c2 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
5: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 08:00:06:25:bc:d2 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.4/24 brd 10.0.0.255 scope global ipsec0
6: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
7: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
8: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/ipip
# ip route show
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.4
10.0.0.0/24 dev ipsec0 proto kernel scope link src 10.0.0.4
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
default via 10.0.0.1 dev eth0
# lsmod
Module Size Used by Not tainted
ipsec 256416 1
softdog 1508 1
ipt_state 368 36
ipt_helper 496 0 (unused)
ipt_conntrack 852 0
ipt_REDIRECT 544 0 (unused)
ipt_MASQUERADE 1088 1
ip_nat_irc 2152 0 (unused)
ip_nat_ftp 2792 0 (unused)
iptable_nat 15556 3 [ipt_REDIRECT ipt_MASQUERADE ip_nat_irc
ip_nat_ftp]
ip_conntrack_irc 2876 1
ip_conntrack_ftp 3484 1
ip_conntrack 17864 6 [ipt_state ipt_helper ipt_conntrack
ipt_REDIRECT ipt_MASQUERADE ip_nat_irc ip_nat_ftp iptable_nat
ip_conntrack_irc ip_conntrack_ftp]
eepro100 17740 2
mii 2108 0 [eepro100]
isofs 17012 0 (unused)
ide-detect 144 0 (unused)
ide-cd 28572 0
ide-disk 12492 1
ide-core 88752 1 [ide-detect ide-cd ide-disk]
cdrom 26976 0 [ide-cd]
# shorewall status
Shorewall-1.4.10e Status at fw_left - Fri Jun 4 17:56:25 UTC 2004
Counters reset Fri Jun 4 17:51:46 UTC 2004
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4 336 ACCEPT all -- lo * 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
5 1054 eth0_in all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_in all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_in all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:INPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
0 0 eth0_fwd all -- eth0 * 0.0.0.0/0
0.0.0.0/0
0 0 eth1_fwd all -- eth1 * 0.0.0.0/0
0.0.0.0/0
0 0 ipsec0_fwd all -- ipsec0 * 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:FORWARD:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
4 336 ACCEPT all -- * lo 0.0.0.0/0
0.0.0.0/0
0 0 DROP !icmp -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID
5 420 fw2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 fw2loc all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 all2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:OUTPUT:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain all2all (6 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:all2all:REJECT:' queue_threshold 1
0 0 reject all -- * * 0.0.0.0/0
0.0.0.0/0
Chain common (5 references)
pkts bytes target prot opt in out source
destination
0 0 icmpdef icmp -- * * 0.0.0.0/0
0.0.0.0/0
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:135
5 1054 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpts:137:139
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:139
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:445
0 0 DROP tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:135
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp dpt:1900
0 0 DROP all -- * * 0.0.0.0/0
255.255.255.255
0 0 DROP all -- * * 0.0.0.0/0
224.0.0.0/4
0 0 reject tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:113
0 0 DROP udp -- * * 0.0.0.0/0
0.0.0.0/0 udp spt:53 state NEW
0 0 DROP icmp -- * * 0.0.0.0
0.0.0.0/0
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x10/0x10
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x04/0x04
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp flags:0x01/0x01
0 0 DROP all -- * * 0.0.0.0/0
10.0.0.255
0 0 DROP all -- * * 0.0.0.0/0
192.168.1.255
Chain dynamic (6 references)
pkts bytes target prot opt in out source
destination
Chain eth0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 net2all all -- * eth1 0.0.0.0/0
0.0.0.0/0
0 0 net2all all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth0_in (1 references)
pkts bytes target prot opt in out source
destination
5 1054 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
5 1054 net2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain eth1_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 loc2net all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 loc2vpn all -- * ipsec0 0.0.0.0/0
0.0.0.0/0
Chain eth1_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 loc2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 0.0.0.0/0 10.0.0.3
0 0 ACCEPT ah -- * * 0.0.0.0/0 10.0.0.3
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.0.0.3
udp spt:500 dpt:500 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
5 420 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:50
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:50
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:51
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:51
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain icmpdef (1 references)
pkts bytes target prot opt in out source
destination
Chain ipsec0_fwd (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * eth0 0.0.0.0/0
0.0.0.0/0
0 0 vpn2loc all -- * eth1 0.0.0.0/0
0.0.0.0/0
Chain ipsec0_in (1 references)
pkts bytes target prot opt in out source
destination
0 0 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:22
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:80
0 0 all2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2all (3 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
5 1054 common all -- * * 0.0.0.0/0
0.0.0.0/0
0 0 ULOG all -- * * 0.0.0.0/0
0.0.0.0/0 ULOG copy_range 0 nlgroup 1 prefix
`Shorewall:net2all:DROP:' queue_threshold 1
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0
Chain net2fw (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT esp -- * * 10.0.0.3
0.0.0.0/0
0 0 ACCEPT ah -- * * 10.0.0.3
0.0.0.0/0
0 0 ACCEPT udp -- * * 10.0.0.3
0.0.0.0/0 udp spt:500 dpt:500 state NEW
0 0 ACCEPT icmp -- * * 0.0.0.0/0
0.0.0.0/0 icmp type 8
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:50
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:50
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW tcp dpt:51
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:51
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
5 1054 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain reject (5 references)
pkts bytes target prot opt in out source
destination
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = broadcast
0 0 DROP all -- * * 0.0.0.0/0
0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 10.0.0.255
0.0.0.0/0
0 0 DROP all -- * * 192.168.1.255
0.0.0.0/0
0 0 DROP all -- * * 255.255.255.255
0.0.0.0/0
0 0 DROP all -- * * 224.0.0.0/4
0.0.0.0/0
0 0 REJECT tcp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT icmp -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-unreachable
0 0 REJECT all -- * * 0.0.0.0/0
0.0.0.0/0 reject-with icmp-host-prohibited
Chain shorewall (0 references)
pkts bytes target prot opt in out source
destination
Chain vpn2loc (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
NAT Table
Chain PREROUTING (policy ACCEPT 5 packets, 1054 bytes)
pkts bytes target prot opt in out source
destination
Chain POSTROUTING (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source
destination
1 84 eth0_masq all -- * eth0 0.0.0.0/0
0.0.0.0/0
Chain OUTPUT (policy ACCEPT 3 packets, 252 bytes)
pkts bytes target prot opt in out source
destination
Chain eth0_masq (1 references)
pkts bytes target prot opt in out source
destination
0 0 MASQUERADE all -- * * 192.168.1.0/24
0.0.0.0/0
Mangle Table
Chain PREROUTING (policy ACCEPT 9 packets, 1390 bytes)
pkts bytes target prot opt in out source
destination
9 1390 pretos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain INPUT (policy ACCEPT 9 packets, 1390 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 9 packets, 756 bytes)
pkts bytes target prot opt in out source
destination
9 756 outtos all -- * * 0.0.0.0/0
0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 9 packets, 756 bytes)
pkts bytes target prot opt in out source
destination
Chain outtos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Chain pretos (1 references)
pkts bytes target prot opt in out source
destination
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:22 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:21 TOS set 0x10
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp spt:20 TOS set 0x08
0 0 TOS tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:20 TOS set 0x08
Configuration Files:
Here are some of my configuration files. I deleted the standard shorewall
comments, but left the default items in place so that the syntax of the
files are complete.
<contents of interfaces>
#
# Shorewall 1.4 -- Interfaces File
#
# /etc/shorewall/interfaces
#
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
loc eth1 detect
vpn ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of policy>
#
# Shorewall 1.4 -- Policy File
#
# /etc/shorewall/policy
#
############################################################################
###
#SOURCE DEST POLICY LOG LIMIT:BURST
# LEVEL
loc net ACCEPT
net all DROP ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
loc vpn ACCEPT
vpn loc ACCEPT
#
# THE FOLLOWING POLICY MUST BE LAST
#
all all REJECT ULOG
#LAST LINE -- DO NOT REMOVE
<contents of tunnels>
#
# Shorewall 1.4 - /etc/shorewall/tunnels
#
# TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec net 10.0.0.3
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of zones>
#
# Shorewall 1.4 /etc/shorewall/zones
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
vpn VPN Remote Subnet
#dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
<contents of rules>
#
# Shorewall version 1.4 - Rules File
#
# /etc/shorewall/rules
#
############################################################################
########################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
USER
# PORT PORT(S) DEST LIMIT
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 22
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#
# jwalters 20040604
# added rules to allow IPSec VPN
#
ACCEPT net fw tcp 50
ACCEPT net fw udp 50
ACCEPT net fw tcp 51
ACCEPT net fw udp 51
ACCEPT fw net tcp 50
ACCEPT fw net udp 50
ACCEPT fw net tcp 51
ACCEPT fw net udp 51
ACCEPT net fw udp 500
ACCEPT fw net udp 500
#
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
<contents of ipsec.conf>
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn vpn_jim
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=0
# RSA authentication with keys from DNS.
authby=secret
left=10.0.0.4
leftsubnet=192.168.1.0/24
right=10.0.0.3
rightsubnet=192.168.0.0/24
auto=add
<contents of ipsec.secrets>
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
#: RSA {
# -- Create your own RSA key with "ipsec rsasigkey"
# }
# do not change the indenting of that "}"
10.0.0.4 %any : PSK "jwalters"
: RSA {
Modulus:
0xC2B434219819415BEAB6B058BFBC13B4C4B2CB04E9D7B006FCFC21954ECD4B985A0F4013DF
EA48FBD0FBC23678DDD8FEABE11AAFF71B20C18F364E5A9553782405E8E0AB4557CBC204AD16
9F4019B746914A996FD60EEF49F4BDEF428A32751457AC4DABA8990617F1C9880C6C50F5649A
5A2912D0520B5C0D52D41775D4FDEC29FDD6209E0D2D0B294C7709FD484E88197FFAC0D7FBD7
2866317D7911E36AD9267EA2017694B936345AE586795B86962CF964803EC1B715BDC65CA369
28A6D9D2F76BB55DF932D45930143A49204A81817B809F4458B2D83C20FE4FE59A2C716DA04E
407C30944816B756EB308A935A0DC0819314471393869793A38B3F8285
PublicExponent: 0x010001
PrivateExponent:
0xA2952176EFF01EE0A724F82A93A874781D4C03354E231A4D2B914A65C810ABD0435BBAB11D
E8201B8E8DBBC60AB58D8E536E3BFFB603041E3CFD26FE82F4D93C9366BBBCA8C1C05679DB23
29C5B7F38FCCA113710CB919DD92ADCB8DAFA2A49B60FE73392526EAACB1ED0C5AFB53BB25CF
B1FBDC46F24BA4094821EC992B4B0025BED05EF27F2A66FC4D3E8ABABE60F047C12CC0481A1E
66BB8F2334A59D61DACBCBD95D6371B76545B0B7B032F7D98CA6B1DD30F50CA1E0ED64615E47
17F0BDA5CA5B16C2D145BFF06CABEED4DE8650D395DF866AB223C3AB42296A8DD7BC5A1FE2EF
744A4F7786C1710C619F698DA302E3D360C5324BBE5581B36202D836E1
Prime1:
0xE3A1EFE0BBB09D796D0036633DCA5C143938147B7E0D4ADBD2D8D02B251A295CC4768F80D7
330B0957483788F117685B0DE5C8A83DE18B189B4DBFEBBD12102448320100FA1B4A167875AA
AE1577BEFF9ECC0935B9DD66E95C91D2185C40E7379E1581096EAD5943D72CFD51EEE7ECED0C
F2A0FE9588D6C78B232CD49D2FCEA9
Prime2:
0xDAF7C220ADA79D346AB3169C6292DAB0B93302992D07F86360425FA9399C9B7E4178578AFF
C77F12BB72B14782C1580FD96F0B51DDFFB85C962EE00076A1E86215D16E293D9D7DC79C9FBA
4956187DE36490A49D2202E9982D4FE089E3EE4EFADF666DD84D6415EA339CD4238250FB83C9
723FD1ED7F62917496F40E244D0A7D
Exponent1:
0xC38F48D4EA8A660F7E8C732D3955935BB078B4680FB7FDBAF2DE5FA0E164236AD642013130
3062E7E87B5B72A3A5777ADA6AB1C3903E2750C183BF411892DF193C88F101D4DD02FE6108BD
D4870EF421095CC300CC282094957995646645401F3109CA6CBF0FE0237F45E06FB66EBBC63F
9C66A1B0F7F9853ECCBE63FE92A6D9
Exponent2:
0xBE820ED115A51E1E2BB312BA0EFD4BEDB3C3D0BFEA30E407BA0925677B2B6911A8EE85E3F6
73E07830C431BF50E0DCB83569EA8458CC92DF62FEF77F0FB80011CE7FBF037C8B1892E20F0A
29A2117EFDA7523D16453019827FF1DE1EBA436D4DD1AE31659EB7B46566704D1573DCF7670A
8E2F3E7B0E7878AAE2670622C93095
Coefficient:
0x6AA715CAB57C177DBEC27A24C826BB36F2D2A5B32DE68FEEFDD1C44CF7DACD9FFDB6AC374A
D2BA796208DDA16F07937480DE4934838E623B29356009476F463AE25A6DEDEA560D63B8DDA6
3BAA7A643E4E2A9027C4AB94B6815A0412649F5CA75059A57C729FEA7D2339249210B218B9AB
76EC39DA14CE4D9D45799F048FE2E9
}
-------------------------------------------------------
This SF.Net email is sponsored by the new InstallShield X.
>From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
