[Shorewall-users] IPSEC NAT-T IKE fails when policy is $FW 2 net REJECT.

Thu, 22 Mar 2007 14:08:14 -0800 

Hello Tom et al,

When running Shorewall 3.0.7 with OpenSwan 2.4.5 (Netkey) on an Ubuntu
Edgy system IKE was failing with the following error:

"earth-moon" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
ERROR: "earth-moon" #1: sendto on eth0 to 172.31.2.11:4500 failed in 
STATE_MAIN_I2. Errno 1: Operation not permitted

The error is generated after NAT discovery has determined that there
is a NAT in place and IKE attempts to switch from port 500 to 4500.  I
noted an entry in the output fw2net chain that allowed isakmp (port
500) but didn't see a companion entry for port 4500 (There are entries
for both port 500 and 4500 in the input net2fw chain).

This led me to the following code snippet in setup_one_ipsec( ):

  run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options

  if [ $kind = ipsec ]; then
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
  else
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500 $options
  fi

To get a successful IKE on port 4500 I replaced the above snippet
with:

  if [ $kind = ipsec ]; then
    run_iptables -A $outchain -p udp $(dest_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
  else
    run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $outchain  -p udp $(source_ip_range $1) --dport 4500 
$options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 500 $options
    run_iptables -A $inchain  -p udp $(source_ip_range $1) --dport 4500 $options
  fi

Is this reasonable or am I way out in left field?

regards :-)
BruceS

-- 

Norstead Farm - Bruce & Carole Skinner
RR#1 Waterville NS Canada B0P 1V0
 Tel: 902-538-1765
Cell: 902-670-6456
 Fax: 902-538-1794
<mailto:[EMAIL PROTECTED]>

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to