Re: [Shorewall-users] IPSec Getting Blocked
If you 'shorewall clear' on the IPSEC gateway, does that correct the problem? -Tom On 03/21/2018 02:28 PM, colony.three--- via Shorewall-users wrote: > The remote phone's Strongswan app is not getting a port 4500 response > back from the IPSec gateway. It's trying and waiting for a response on > port 4500. > > > > ‐‐‐ Original Message ‐‐‐ > On March 21, 2018 9:35 AM,wrote: > >> I have an IPSec gateway, which is just an OpenStack instance in my >> LAN. Remote machines reach it with Strongswan through the LAN >> gateway. When I try to set up the VPN using a remote phone and the >> Strongswan app it gets a good bit of the ways, but times out waiting >> for a port 4500 response from the IPSec gateway. The IPSec gateway >> for its part claims that it'd sent the port 4500 response which never >> gets there. >> >> There are no Shorewall messages in dmesg regarding ports 500 or 4500, >> in either the IPSec gateway or the LAN gateway. >> >> IPSec gateway: >> rules: >> # VPN >> ACCEPT net $FW udp 500,4500 - >> ACCEPT $FW net udp 500,4500 - >> >> snat: >> MASQUERADE 192.168.111.0/24 eth0 >> >> >> LAN gateway: >> rules >> >> >> # VPN >> DNAT net local:192.168.111.16 udp >> 500,ipsec-nat-t - >> >> snat >> MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 >> >> (10.1.1.30 is the DMZ) >> >> The goal is to have all remote machines and all machines in the LAN >> communicate by VPN transparently. I'm back to basics with just an >> IPSec gateway and one remote machine. I suspect that when I get all >> the LAN machines on trapped IPSec that the devices which do not >> support IPSec (printers, Z-wave) will need to reach the rest of the >> LAN through the IPSec gateway so am using SNAT there. >> >> So for some reason it seems that port 4500 is getting blocked outgoing >> from the IPSec gateway. For some reason # tcpdump 'tcp port 500' and >> 4500 yield -nothing- when aimed at the relevant interfaces on both >> gateways. shorewall_dump.txt forwarded directly to Tom. > --- > On the LAN gateway, I see lots of packets going in to the IPSec gateway > on (internal) eth1, but none going back out: > > # tcpdump -i eth1 'port 4500' > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes > 13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp: child_sa ikev2_auth[I] > 13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: > NONESP-encap: isakmp:
Re: [Shorewall-users] IPSec Getting Blocked
The remote phone's Strongswan app is not getting a port 4500 response back from the IPSec gateway. It's trying and waiting for a response on port 4500. ‐‐‐ Original Message ‐‐‐ On March 21, 2018 9:35 AM,wrote: > I have an IPSec gateway, which is just an OpenStack instance in my LAN. > Remote machines reach it with Strongswan through the LAN gateway. When I try > to set up the VPN using a remote phone and the Strongswan app it gets a good > bit of the ways, but times out waiting for a port 4500 response from the > IPSec gateway. The IPSec gateway for its part claims that it'd sent the port > 4500 response which never gets there. > > There are no Shorewall messages in dmesg regarding ports 500 or 4500, in > either the IPSec gateway or the LAN gateway. > > IPSec gateway: > rules: > # VPN > ACCEPT net $FW udp 500,4500 - > ACCEPT $FW net udp 500,4500 - > > snat: > MASQUERADE 192.168.111.0/24eth0 > > LAN gateway: > rules > > # VPN > DNATnet local:192.168.111.16 udp 500,ipsec-nat-t - > > > snat > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 > > (10.1.1.30 is the DMZ) > > The goal is to have all remote machines and all machines in the LAN > communicate by VPN transparently. I'm back to basics with just an IPSec > gateway and one remote machine. I suspect that when I get all the LAN > machines on trapped IPSec that the devices which do not support IPSec > (printers, Z-wave) will need to reach the rest of the LAN through the IPSec > gateway so am using SNAT there. > > So for some reason it seems that port 4500 is getting blocked outgoing from > the IPSec gateway. For some reason # tcpdump 'tcp port 500' and 4500 yield > -nothing- when aimed at the relevant interfaces on both gateways. > shorewall_dump.txt forwarded directly to Tom. --- On the LAN gateway, I see lots of packets going in to the IPSec gateway on (internal) eth1, but none going back out: # tcpdump -i eth1 'port 4500' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes 13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.225086 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.231584 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 13:26:49.234940 IP
[Shorewall-users] Someone break something
It's too quite in here. :-) Bill -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users