Re: [Shorewall-users] shorewall + ipsec openswan

Thu, 21 Dec 2006 08:31:08 -0800 

Tom Eastep wrote:
> lpa du morvan wrote:
>> Hi
>>
>> FAQ #21 say:
>> <<Nov 25 18:58:52 linux kernel:
>>       Shorewall:net2all:DROP:IN=eth1 OUT=
>>       MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00 SRC=206.124.146.179
>>       DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP
>>       TYPE=3 CODE=3 [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00
>> PREC=0x00
>>       TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]Unfortunately, where
>> NAT is involved (including SNAT, DNAT and Masquerade), there are a lot of
>> broken implementations
>>
>> why shorewall break my ipsec tunnel ?
>>
>> I have tried with deactivate masquerade (on the both side) but always :
>>
>> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1
>>
>> I have established a ipsec tunnel between two fc6+shorewall+ipsec always the
>> same error:
>>
>> wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 (but now on the
>> both side!)
> 
> Did you disable policy match or change your configuration to use the method at
> http://www.shorewall.net/IPSEC-2.6.html? You must do one or the other.
> 

Sorry -- found the dump of this problem on the gmane archive; as you know
(hopefully), the shorewall.net mail server is down so I don't have access to any
mail locally except what has arrived very recently.

Here are your wan->fw rules:

Chain wan2fw (2 references)
 pkts bytes target     prot opt in     out     source               destination

   14  1564 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0
        state RELATED,ESTABLISHED
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
        tcp dpt:113
    4   448 ACCEPT     esp  --  *      *       192.168.2.3          0.0.0.0/0

    0     0 ACCEPT     ah   --  *      *       192.168.2.3          0.0.0.0/0

    0     0 ACCEPT     udp  --  *      *       192.168.2.3          0.0.0.0/0
        udp dpt:500 state NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0
        udp dpt:1194
   96  5178 wan2all    all  --  *      *       0.0.0.0/0            0.0.0.0/0


Here is the log message that you are complaining about:

Dec 19 19:53:26 wan2all:DROP:IN=eth5 OUT= SRC=192.168.2.3 DST=192.168.2.1 LEN=80
TOS=0x00 PREC=0x00 TTL=127 ID=12367 PROTO=4

That is PROTOCOL NUMBER 4 -- The only protocols that you are accepting from
192.168.2.3 are 50, 51 and 17!!!!

Protocol 4 is IP encapculated in IP -- So it sounds like your tunnel is not pure
IPSEC but is being further encapsulated in protocol 4.

Or something....

At any rate, you obviously need another rule.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to