Re: [Shorewall-users] IPSec Getting Blocked

2018-03-21 Thread Tom Eastep 
If you 'shorewall clear' on the IPSEC gateway, does that correct the
problem?

-Tom

On 03/21/2018 02:28 PM, colony.three--- via Shorewall-users wrote:
> The remote phone's Strongswan app is not getting a port 4500 response
> back from the IPSec gateway.  It's trying and waiting for a response on
> port 4500.
> 
> 
> 
> ‐‐‐ Original Message ‐‐‐
> On March 21, 2018 9:35 AM,  wrote:
> 
>> I have an IPSec gateway, which is just an OpenStack instance in my
>> LAN.  Remote machines reach it with Strongswan through the LAN
>> gateway.  When I try to set up the VPN using a remote phone and the
>> Strongswan app it gets a good bit of the ways, but times out waiting
>> for a port 4500 response from the IPSec gateway.  The IPSec gateway
>> for its part claims that it'd sent the port 4500 response which never
>> gets there.
>>
>> There are no Shorewall messages in dmesg regarding ports 500 or 4500,
>> in either the IPSec gateway or the LAN gateway.
>>
>> IPSec gateway:
>> rules:
>> # VPN
>> ACCEPT  net $FW udp 500,4500 -
>> ACCEPT  $FW net udp 500,4500 -
>>
>> snat:
>> MASQUERADE  192.168.111.0/24    eth0
>>
>>
>> LAN gateway:
>> rules
>>
>>
>> # VPN
>> DNAT    net local:192.168.111.16 udp
>> 500,ipsec-nat-t -  
>>
>> snat
>> MASQUERADE  10.1.1.30/32,192.168.111.0/24   eth0
>>
>> (10.1.1.30 is the DMZ)
>>
>> The goal is to have all remote machines and all machines in the LAN
>> communicate by VPN transparently.  I'm back to basics with just an
>> IPSec gateway and one remote machine.  I suspect that when I get all
>> the LAN machines on trapped IPSec that the devices which do not
>> support IPSec (printers, Z-wave) will need to reach the rest of the
>> LAN through the IPSec gateway so am using SNAT there.
>>
>> So for some reason it seems that port 4500 is getting blocked outgoing
>> from the IPSec gateway.  For some reason # tcpdump 'tcp port 500' and
>> 4500 yield -nothing- when aimed at the relevant interfaces on both
>> gateways. shorewall_dump.txt forwarded directly to Tom.
> ---
> On the LAN gateway, I see lots of packets going in to the IPSec gateway
> on (internal) eth1, but none going back out:
> 
> # tcpdump -i eth1 'port 4500'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp:

Re: [Shorewall-users] IPSec Getting Blocked

2018-03-21 Thread colony.three--- via Shorewall-users 
The remote phone's Strongswan app is not getting a port 4500 response back from 
the IPSec gateway.  It's trying and waiting for a response on port 4500.

‐‐‐ Original Message ‐‐‐
On March 21, 2018 9:35 AM,  wrote:

> I have an IPSec gateway, which is just an OpenStack instance in my LAN.  
> Remote machines reach it with Strongswan through the LAN gateway.  When I try 
> to set up the VPN using a remote phone and the Strongswan app it gets a good 
> bit of the ways, but times out waiting for a port 4500 response from the 
> IPSec gateway.  The IPSec gateway for its part claims that it'd sent the port 
> 4500 response which never gets there.
>
> There are no Shorewall messages in dmesg regarding ports 500 or 4500, in 
> either the IPSec gateway or the LAN gateway.
>
> IPSec gateway:
> rules:
> # VPN
> ACCEPT  net $FW udp 500,4500 -
> ACCEPT  $FW net udp 500,4500 -
>
> snat:
> MASQUERADE  192.168.111.0/24eth0
>
> LAN gateway:
> rules
>
> # VPN
> DNATnet local:192.168.111.16 udp 500,ipsec-nat-t -
>   
>
> snat
> MASQUERADE  10.1.1.30/32,192.168.111.0/24   eth0
>
> (10.1.1.30 is the DMZ)
>
> The goal is to have all remote machines and all machines in the LAN 
> communicate by VPN transparently.  I'm back to basics with just an IPSec 
> gateway and one remote machine.  I suspect that when I get all the LAN 
> machines on trapped IPSec that the devices which do not support IPSec 
> (printers, Z-wave) will need to reach the rest of the LAN through the IPSec 
> gateway so am using SNAT there.
>
> So for some reason it seems that port 4500 is getting blocked outgoing from 
> the IPSec gateway.  For some reason # tcpdump 'tcp port 500' and 4500 yield 
> -nothing- when aimed at the relevant interfaces on both gateways. 
> shorewall_dump.txt forwarded directly to Tom.

---
On the LAN gateway, I see lots of packets going in to the IPSec gateway on 
(internal) eth1, but none going back out:

# tcpdump -i eth1 'port 4500'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.225086 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.231584 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t: 
NONESP-encap: isakmp: child_sa  ikev2_auth[I]
13:26:49.234940 IP

[Shorewall-users] Someone break something

2018-03-21 Thread Bill Shirley 

It's too quite in here. :-)

Bill


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users