Thanks for the reply Tom. Although i can connect internally to the L2TP server running on the firewall, all external attempts do not work. I have checked and double checked the procedure as below: 1) vpn added to zones: #ZONE TYPE vpn ipsec l2tp ipv4 net ipv4 loc ipv4 fw firewall 2) interfaces specified: #ZONE INTERFACE BROADCAST OPTIONS net ppp0 - dhcp,tcpflags,nosmurfs,logmartians loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians l2tp ppp+ - 3) ipsec specified in tunnels: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 0.0.0.0/0 vpn 4) vpn zone defined in hosts #ZONE HOSTS OPTIONS vpn eth0:0.0.0.0/0 5) Policy set: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST $FW all ACCEPT loc $FW ACCEPT loc net ACCEPT # policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPTloc vpn ACCEPT vpn loc ACCEPT vpn $FW ACCEPT # The FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE 6) rules set:#ACTION SOURCE DEST PROTO DNS(ACCEPT) $FW net SSH(ACCEPT) loc $FW Ping(ACCEPT) loc $FW L2TP(REJECT) net $FW REJECT $FW net udp - 1701 ACCEPT vpn $FW udp 1701 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded.. Ping(DROP) net $FW ACCEPT $FW loc icmp ACCEPT $FW net icmp #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE I must have messed up somewhere as now i see lots of log messages: 1.6.160 LEN=134 TOS=0x02 PREC=0x00 TTL=109 ID=16558 PROTO=UDP SPT=1116 DPT=6881 LEN=114 MARK=0x100 Jan 20 20:36:49 router kernel: [39805.141804] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=121.54.58.135 DST=2.51.6.160 LEN=58 TOS=0x00 PREC=0x00 TTL=103 ID=64768 PROTO=UDP SPT=27560 DPT=6881 LEN=38 MARK=0x100 This l2tp2fw chain is blocking Peer-to-Peer traffic and i dont understand why (would have though it should fall through to default deny policy). If anyone would be kind enough to advise what i can try next or what i have done wrong above, it would be much appreciated. Shorewall dump attached for reference. Thanks for the help, Chris Date: Fri, 20 Jan 2012 03:12:15 +0400 From: [email protected] To: [email protected] Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN
Hi just to say I think I may have spotted the issue will advise tomorrow. Please disregard previous post for now. Thanks, Chris Sent from Samsung Galaxy Note -------- Original message -------- Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN From: Chris Morley <[email protected]> To: [email protected] CC: > From the messages you are seeing, it looks like you don't have ipsec* > entries in /etc/shorewall/tunnels. Hi Tom, Thanks for the reply. I have added the tunnels to now show: #TYPE ZONE GATEWAY GATEWAY ZONE ipsec net 0.0.0.0/0 vpn Also by changing the zones file from: fw firewall vpn ipsec l2tp ipv4 ukvpn ipv4 net ipv4 loc ipv4 To the following: vpn ipsec l2tp ipv4 ukvpn ipv4 fw firewall net ipv4 loc ipv4 An internal machine can now connect OK and get assigned an IP address via L2TP, this order does seem to effect things. So i know the VPN is working even with the firewall rules enabled for internal clients, just not for external clients. For external clients, i am still seeing similair bounce messages: Jan 19 22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 As a hack, I then tried adding a policy: l2tp fw ACCEPT Although the REJECT messages were no longer shown in the log, the VPN still timed out for the external users. So I then removed this line again. Now my policy just shows: fw all ACCEPT loc fw ACCEPT loc net ACCEPT # policy for inbound L2TP zone loc l2tp ACCEPT l2tp loc ACCEPT l2tp net ACCEPT loc vpn ACCEPT vpn loc ACCEPT vpn fw ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info Since I have made some changes I have re-dumped the status for this config. Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours tonight no dice i must be doing something silly just cant see it. Hopefully fresh mind tomorrow will help! Regards, Chris ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
status.txt.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
