Re: [Shorewall-users] IPSEC VPN to VPN firewalling problem

Tom Eastep Tue, 22 Jan 2008 14:44:23 -0800

Lukasz Spaleniak wrote:
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Tom
> Eastep
> 
>> We can't give you advice unless we know how you configured IPSEC.
> 
>> The output of "shorewall dump" collected as described at
>> http://www.shorewall.net/support.htm#Guidelines should 
>> suffice (Assuming that you are running a recent version of
>> Shorewall).
> 
> Tom
> 
> I'm using Shorewall ver 3.2.6 (debian etch).
> 
> As attached file please find shorewall dump.
>


The rejected packets are coming out of the wan2vpn chain.

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
9138K 6304M eth0_fwd   0    --  eth0   *       0.0.0.0/0            0.0.0.0/0 
<============ Rule 1
...

Chain eth0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
 211K   17M dynamic    0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW 
 203K   16M smurfs     0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        state INVALID,NEW policy match dir in pol none 
 187K   15M norfc1918  0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        state NEW policy match dir in pol none 
8240K 6194M tcpflags   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        policy match dir in pol none 
 8778  812K vpn_frwd   0    --  *      *       192.168.6.0/24       0.0.0.0/0   
        policy match dir in pol ipsec <=========== Rule 2
    0     0 vpn_frwd   0    --  *      *       195.205.11.34        0.0.0.0/0   
        policy match dir in pol ipsec 
  191 18390 vpn_frwd   0    --  *      *       10.1.0.0/24          0.0.0.0/0   
        policy match dir in pol ipsec 
    0     0 vpn_frwd   0    --  *      *       195.205.142.34       0.0.0.0/0   
        policy match dir in pol ipsec 
 9943  419K vpn_frwd   0    --  *      *       192.168.10.0/24      0.0.0.0/0   
        policy match dir in pol ipsec 
    0     0 vpn_frwd   0    --  *      *       84.40.238.125        0.0.0.0/0   
        policy match dir in pol ipsec 
2838K 2688M wan2lan1   0    --  *      eth1.301  0.0.0.0/0            
192.168.5.0/24      policy match dir out pol none 
    0     0 wan2lan1   0    --  *      eth1.301  0.0.0.0/0            
10.31.4.0/24        policy match dir out pol none 
 5961 1481K wan2publ   0    --  *      eth1.303  0.0.0.0/0            
195.205.101.56/29   policy match dir out pol none 
1224K 1160M wan2lan2   0    --  *      eth1.300  0.0.0.0/0            
195.205.101.16/28   policy match dir out pol none 
5018K 2450M wan2dmz    0    --  *      eth2.201  0.0.0.0/0            
195.205.101.8/29    policy match dir out pol none 
  115 12075 wan2vpn    0    --  *      eth0    0.0.0.0/0            
192.168.6.0/24      policy match dir out pol ipsec 
    0     0 wan2vpn    0    --  *      eth0    0.0.0.0/0            
195.205.11.34       policy match dir out pol ipsec 
 4000  306K wan2vpn    0    --  *      eth0    0.0.0.0/0            10.1.0.0/24 
        policy match dir out pol ipsec <=========== Rule 3
...

Chain wan2vpn (6 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        state RELATED,ESTABLISHED 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0   
        udp dpt:53 
 4115  318K wan2all    0    --  *      *       0.0.0.0/0            0.0.0.0/0 
<==========  Rule 4       
...

Chain wan2all (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 ACCEPT     0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        state RELATED,ESTABLISHED 
 4115  318K Drop       0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        
 3523  273K LOG        0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        limit: avg 10/min burst 5 LOG flags 0 level 6 prefix 
`Shorewall:wan2all:DROP:' 
 4115  318K DROP       0    --  *      *       0.0.0.0/0            0.0.0.0/0   
        

Regrettably, with Shorewall 3.2.6, the dump doesn't show the SPD (Security 
Policy Database).
So I would like to see the output of "setkey -DP" also.

Here is your log entry:

Shorewall:wan2all:DROP:IN=eth0 OUT=eth0 SRC=192.168.6.91 DST=10.1.0.250
LEN=106 TOS=0x00 PREC=0x00 TTL=126 ID=46540 PROTO=UDP SPT=1026 DPT=161
LEN=86 

Note that the above packet does not match rule 2. This means that the
policy match does not consider it to be an unencapsulated IPSEC packet!
I've not seen an IPSEC HUB configuration before so I don't know if this is
normal or not. But the packet *is* matching rule 3 which means that
policy match knows that this packet is going to be encapsulated on the
way out. So the packet is being treated as a wan->vpn packet; that is
why it is being dropped.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] IPSEC VPN to VPN firewalling problem

Reply via email to