shorewall-4.6.13-0base openswan-2.6.32-9.el5 CentOS release 5.11 xl2tpd-1.2.8-1
Hi, I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host to a Symetric link (9.5Mb/9.5Mb) on another host. The old, working link is configured under shorewall-4.5.0.3-1.el5 and used DNAT to transmit L2TP port packets to the internal interface: rules: DNAT roadw $FW:192.168.0.13 udp 1701 1701 This has been working for some years now and I'm not sure any more why I configured it that way. Anyway I've started afresh on the new setup following the http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't establish a link through L2TP. The VPN comes up OK but the L2TP packets are being rejected: Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00 PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00 PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00 PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 DST=115.70.189.243 LEN=142 TOS=0x00 PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 A packet trace on the firwall's external interface shows the following: Capturing on eth1 0.000000 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode) 0.001157 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode) 0.103565 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode) 0.112520 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode) 0.181415 165.228.94.4 -> 115.70.189.243 IP Fragmented IP protocol (proto=UDP 0x11, off=0) 0.181417 165.228.94.4 -> 115.70.189.243 ISAKMP Identity Protection (Main Mode) 0.190797 115.70.189.243 -> 165.228.94.4 ISAKMP Identity Protection (Main Mode) 0.249522 165.228.94.4 -> 115.70.189.243 ISAKMP Quick Mode 0.252591 115.70.189.243 -> 165.228.94.4 ISAKMP Quick Mode 0.283461 165.228.94.4 -> 115.70.189.243 ISAKMP Quick Mode 0.283462 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 0.283679 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 1.284393 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 1.284578 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 3.283471 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 3.283669 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 7.347466 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 7.347743 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 15.287539 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 15.287705 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 19.578550 165.228.94.4 -> 115.70.189.243 UDPENCAP 25.289245 165.228.94.4 -> 115.70.189.243 ESP ESP (SPI=0xbb1e40f4) 25.289446 115.70.189.243 -> 165.228.94.4 ICMP Destination unreachable (Port unreachable) 35.295989 165.228.94.4 -> 115.70.189.243 ISAKMP Informational 35.297476 115.70.189.243 -> 165.228.94.4 ISAKMP Informational 35.301936 165.228.94.4 -> 115.70.189.243 ISAKMP Informational 35.427432 115.70.189.243 -> 165.228.94.4 ISAKMP Informational Can someone please point me in the right direction? Kind regards, Tom interfaces: - eth1 tcpflags,nosmurfs,routefilter,logmartians loc eth0 dhcp,routeback,tcpflags,nosmurfs,logmartians v1015 eth4.1015 routeback,tcpflags,nosmurfs,logmartians v1031 eth4.1031 tcpflags,nosmurfs,logmartians motex eth2 tcpflags,nosmurfs,logmartians dmz eth3 tcpflags,nosmurfs,logmartians l2tp ppp+ - zones: fw firewall net ipv4 loc ipv4 v1015 ipv4 v1031 ipv4 dmz ipv4 motex ipv4 roadw ipsec mode=tunnel mss=1400 l2tp ipv4 tunnels: ipsecnat net 0.0.0.0/0 roadw l2tp roadw 0.0.0.0/0 hosts: net eth1:0.0.0.0/0 roadw eth1:0.0.0.0/0 policy: loc net ACCEPT loc v1015 ACCEPT v1015 loc ACCEPT loc l2tp ACCEPT # Allows local machines to connect to road warriors l2tp loc ACCEPT # Allows road warriors to connect to local machines l2tp net ACCEPT # Allows road warriors to connect to the internet v1031 net ACCEPT net v1031 ACCEPT motex net ACCEPT info net motex ACCEPT net all DROP info all all REJECT info rules: ?SECTION ESTABLISHED ?COMMENT Road Warriors # prevent IPsec bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW REJECT $FW net udp - 1701 # l2tp over the IPsec VPN ACCEPT roadw $FW udp 1701 -- Tom Robinson IT Manager/System Administrator MoTeC Pty Ltd 121 Merrindale Drive Croydon South 3136 Victoria Australia T: +61 3 9761 5050 F: +61 3 9761 5051 E: [email protected]
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
