On 24/10/2015 9:40 AM, Tom Eastep wrote: > On 10/22/2015 4:06 PM, Tom Robinson wrote: >> On 23/10/15 04:29, Tom Eastep wrote: >>> On 10/21/2015 10:07 PM, Tom Robinson wrote: >>>> On 22/10/15 12:57, Tom Eastep wrote: >>>>> On 10/20/2015 3:53 PM, Tom Robinson wrote: >>>>>> shorewall-4.6.13-0base >>>>>> openswan-2.6.32-9.el5 >>>>>> CentOS release 5.11 >>>>>> xl2tpd-1.2.8-1 >>>>>> >>>>>> Hi, >>>>>> >>>>>> I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one >>>>>> host to a Symetric link >>>>>> (9.5Mb/9.5Mb) on another host. The old, working link is configured under >>>>>> shorewall-4.5.0.3-1.el5 and >>>>>> used DNAT to transmit L2TP port packets to the internal interface: >>>>>> >>>>>> rules: >>>>>> DNAT roadw $FW:192.168.0.13 udp 1701 1701 >>>>>> >>>>>> This has been working for some years now and I'm not sure any more why I >>>>>> configured it that way. >>>>>> >>>>>> Anyway I've started afresh on the new setup following the >>>>>> http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't >>>>>> establish a link through L2TP. >>>>>> The VPN comes up OK but the L2TP packets are being rejected: >>>>>> >>>>>> Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>>>> PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>>>> Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>>>> PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>>>> Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>>>> PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>>>> Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>>>> PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>>>> >>>>> Check Shorewall FAQ 17 -- Rejections in the INPUT chain means that the >>>>> eth1:165.228.94.4 is not in any defined zone. >>>> Hi Tom, >>>> >>>> Thanks for that. I've looked at FAQ 17 which makes sense but I'm still >>>> confused. The VPN I'm >>>> configuring is for Road Warriors and as such I won't know the SRC address >>>> whence they are connecting. >>>> >>>> The 165.228.94.4 address is the SRC of the Road Warrior connection >>>> (Windows VPN Client end). The DST >>>> of 115.70.189.243 is the entry point to the office network (our external >>>> interface's IP address on >>>> the Shorewall configuration). I can't feasibly know all Road Warrior >>>> external addresses and list them. >>>> >>>> What am I missing here? >>> Please forward the output of 'shorewall dump' collected as described at >>> http://www.shorewall.org/support.htm#Guidelines. >> Hi Tom, >> >> I took the time to upgrade to from 4.6.13 to 4.6.13.2 but it didn't change >> the issue. In any case >> I've attached the dump file as requested. >> > Check your rules file, Tom -- it appears that you have the port 1701 > rule in the ESTABLISHED section rather than in the NEW section. >
Got it! It was the mode option of the roadw zone. I am using transport mode on the VPN but had set mode=tunnel in the zone file putting the policy match out of alignment. zones: roadw ipsec mode=transport mss=1400 I'm still confused by the documentation, though. Do any of these rules go in ESTABLISHED? (From http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP): |/etc/shorewall/rules|: #ACTION SOURCE DEST PROTO DEST SOURCE # PORT(S) PORT(S) SECTION ESTABLISHED # Prevent IPsec bypass by hosts behind a NAT gateway L2TP(REJECT) net $FW REJECT $FW net udp - 1701 # l2tp over the IPsec VPN ACCEPT vpn $FW udp 1701 # webserver that can only be accessed internally HTTP(ACCEPT) loc $FW HTTP(ACCEPT) l2tp $FW HTTPS(ACCEPT) loc $FW HTTPS(ACCEPT) l2tp $FW #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
