Re: [Shorewall-users] How could I open Port 1701 for VPN l2tp/ipsec

tony . blue . mailinglist Mon, 31 Dec 2012 10:42:11 -0800

Hello Mailinglist,

I'm stumped. For three days I tried unsuccessfully to get started with 
L2TP/IPSEC with shorewall.


I configured shorewall like the instructiones in 
http://www.shorewall.net/IPSEC-2.6.html but it does not run.

I allways get in /var/log/syslog:
...
Dec 31 19:08:31 router kernel: [81080.616087] 
Shorewall:INPUT:REJECT:IN=ppp0 OUT= 
MAC=45:00:00:88:3e:3e:00:00:2d:11:20:cd:50:bb:67:59:54:39:22:05:1b:2e 
SRC=80.187.103.89 DST=84.57.34.5 LEN=95 TOS=0x00 PREC=0x00 TTL=45 
ID=15934 PROTO=UDP SPT=62781 DPT=1701 LEN=75
...

Only, if I change the last line of /etc/shorewall/policy for a short 
time to:
...
all             all             ACCEPT          info
...

the L2TP/IPSEC tunnel runs.


I would be very happy if someone had an idea how I could get it running.

Thank you!


Tony


I made an easier configuration:

/etc/shorewall/tunnels

###############################################################################
#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
openvpnserver:1194      net     0.0.0.0/0
ipsec                   net     0.0.0.0/0       vpn1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



----> /etc/shorewall/zones

###############################################################################
#ZONE   TYPE    OPTIONS                 IN OUT
#                                       OPTIONS OPTIONS
fw      firewall
net     ipv4
loc     ipv4
vmn     ipv4 <--- subnet for virtual machines
dmz     ipv4
ovpn    ipv4 <--- openvpn for win-clients - but iPhone doesn´t run with 
openvpn
wlan    ipv4
vpn1    ipsec <--- ipsec
l2tp    ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


----> /etc/shorewall/hosts
#ZONE             HOSTS                  OPTIONS
vpn1               eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


----> /etc/shorewall/masq

##############################################################################
#INTERFACE              SUBNET          ADDRESS         PROTO PORT(S) IPSEC
ppp0                    eth0
ppp0                    eth2
ppp0                    eth3
ppp0                    eth4
ppp0                    tun0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



----> /etc/shorewall/interfaces
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     ppp0            detect 
tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc     eth0            detect tcpflags,detectnets,nosmurfs
dmz     eth2            detect tcpflags,detectnets,nosmurfs
ovpn    tun0            detect tcpflags,detectnets,nosmurfs
wlan    eth3            detect tcpflags,detectnets,nosmurfs
l2tp    ppp1            detect tcpflags,detectnets,nosmurfs
vmn     eth4            detect tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



----> /etc/shorewall/policy

###############################################################################
#SOURCE         DEST            POLICY          LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
loc             net             ACCEPT          info
loc             vmn             ACCEPT          info
loc             ovpn            ACCEPT          info
loc             dmz             REJECT          info
loc             $FW             REJECT          info
loc             wlan            ACCEPT          info
loc             l2tp            ACCEPT          info
loc             all             REJECT          info
#
# Policies for traffic originating from the virtual Network of the 
Virtual Machines  LAN (vmn)
vmn             net             ACCEPT          info
vmn             loc             ACCEPT          info
vmn             ovpn            ACCEPT          info
vmn             dmz             REJECT          info
vmn             $FW             REJECT          info
vmn             wlan            ACCEPT          info
vmn             all             REJECT          info
#
# Policies for traffic originating from the firewall ($FW)
$FW             net             ACCEPT          info
$FW             dmz             ACCEPT          info
$FW             loc             ACCEPT          info
$FW             vmn             ACCEPT          info
$FW             wlan            ACCEPT          info
$FW             all             ACCEPT          info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
dmz             net             ACCEPT          info
dmz             $FW             REJECT          info
dmz             loc             REJECT          info
dmz             vmn             REJECT          info
dmz             wlan            REJECT          info
dmz             all             REJECT          info
#
# Policies for traffic originating from the Internet zone (net)
net             dmz             DROP            info
net             $FW             ACCEPT          info
net             loc             DROP            info
net             vmn             DROP            info
net             wlan            DROP            info
net             all             DROP            info
#
# Policies für OpenVPN
ovpn            net             ACCEPT          info
ovpn            loc             ACCEPT          info
ovpn            vmn             ACCEPT          info
ovpn            wlan            ACCEPT          info
ovpn            dmz             REJECT          info
ovpn            $FW             REJECT          info
ovpn            all             REJECT          info
#
# Policies für wlan
wlan            net             ACCEPT          info
wlan            loc             REJECT          info
wlan            vmn             REJECT          info
wlan            dmz             REJECT          info
wlan            $FW             ACCEPT          info
wlan            ovpn            REJECT          info
wlan            all             REJECT          info
#
# Policies für l2tp
l2tp            loc             ACCEPT          info
l2tp            net             ACCEPT          info
#
# THE FOLLOWING POLICY MUST BE LAST
all             all             ACCEPT          info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


----> /etc/shorewall/rules

#############################################################################################################
#ACTION         SOURCE          DEST            PROTO   DEST 
SOURCE          ORIGINAL        RATE            USER/
#                                                       PORT 
PORT(S)         DEST            LIMIT           GROUP
#
...
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP(REJECT)    net     $FW
REJECT          $FW     net     udp     -       1701
# l2tp over the IPsec VPN
ACCEPT          vpn1    $FW     udp     1701
# webserver that can only be accessed internally
HTTP(ACCEPT)    loc     $FW
HTTP(ACCEPT)    l2tp    $FW
HTTPS(ACCEPT)   loc     $FW
HTTPS(ACCEPT)   l2tp    $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] How could I open Port 1701 for VPN l2tp/ipsec

Reply via email to