Re: [Shorewall-users] IPSec Getting Blocked

Wed, 21 Mar 2018 16:08:18 -0700 

If you 'shorewall clear' on the IPSEC gateway, does that correct the
problem?

-Tom

On 03/21/2018 02:28 PM, colony.three--- via Shorewall-users wrote:
> The remote phone's Strongswan app is not getting a port 4500 response
> back from the IPSec gateway.  It's trying and waiting for a response on
> port 4500.
> 
> 
> 
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On March 21, 2018 9:35 AM, <colony.th...@protonmail.ch> wrote:
> 
>> I have an IPSec gateway, which is just an OpenStack instance in my
>> LAN.  Remote machines reach it with Strongswan through the LAN
>> gateway.  When I try to set up the VPN using a remote phone and the
>> Strongswan app it gets a good bit of the ways, but times out waiting
>> for a port 4500 response from the IPSec gateway.  The IPSec gateway
>> for its part claims that it'd sent the port 4500 response which never
>> gets there.
>>
>> There are no Shorewall messages in dmesg regarding ports 500 or 4500,
>> in either the IPSec gateway or the LAN gateway.
>>
>> IPSec gateway:
>> rules:
>> # VPN
>> ACCEPT  net     $FW     udp     500,4500 -
>> ACCEPT  $FW     net     udp     500,4500 -
>>
>> snat:
>> MASQUERADE              192.168.111.0/24        eth0
>>
>>
>> LAN gateway:
>> rules
>>
>>
>> # VPN
>> DNAT            net             local:192.168.111.16 udp
>> 500,ipsec-nat-t -      &eth0
>>
>> snat
>> MASQUERADE      10.1.1.30/32,192.168.111.0/24   eth0
>>
>> (10.1.1.30 is the DMZ)
>>
>> The goal is to have all remote machines and all machines in the LAN
>> communicate by VPN transparently.  I'm back to basics with just an
>> IPSec gateway and one remote machine.  I suspect that when I get all
>> the LAN machines on trapped IPSec that the devices which do not
>> support IPSec (printers, Z-wave) will need to reach the rest of the
>> LAN through the IPSec gateway so am using SNAT there.
>>
>> So for some reason it seems that port 4500 is getting blocked outgoing
>> from the IPSec gateway.  For some reason # tcpdump 'tcp port 500' and
>> 4500 yield -nothing- when aimed at the relevant interfaces on both
>> gateways. shorewall_dump.txt forwarded directly to Tom.
> ---------------------------------------------------------------------------------------------------
> On the LAN gateway, I see lots of packets going in to the IPSec gateway
> on (internal) eth1, but none going back out:
> 
> # tcpdump -i eth1 'port 4500'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
> 13:26:44.372723 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.375540 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.377621 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.380078 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.383287 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.385543 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.398217 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:44.400500 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.422571 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.426444 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.430634 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.439986 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.445641 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.449896 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.452713 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:46.455215 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.198687 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.203642 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.208845 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.214348 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.218238 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.225086 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.231584 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:49.234940 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.140601 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.145698 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.145745 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.150653 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.154544 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.157221 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.166925 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:26:53.166977 IP 172.56.42.131.39547 > 192.168.111.16.ipsec-nat-t:
> NONESP-encap: isakmp: child_sa  ikev2_auth[I]
> 13:27:02.707053 IP 192.168.111.16.ipsec-nat-t > 172.56.42.131.39547:
> isakmp-nat-keep-alive
> q^C
> 33 packets captured
> 33 packets received by filter
> 0 packets dropped by kernel
> ---------------------------------------------------------------------------------------------------
> ... So no response to the 4500 hails.  The last packet going back out is
> just keepalive.
> 
> Well no sense in checking the LAN gateway's outside interface since we
> see no 4500 response coming back from the IPSec gateway.
> 
> Well, in the IPSec gateway is Strongswan actually sending a 4500
> response back out to all the IKE2 that came in?
> ---------------------------------------------------------------------------------------------------
> Wed, 2018-03-21 13:57 12[ENC] <2> generating payload of type NOTIFY
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 0 U_INT_8
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 1 FLAG
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 2 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 3 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 4 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 5 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 6 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 7 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 8 RESERVED_BIT
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 9 PAYLOAD_LENGTH
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 10 U_INT_8
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 11 SPI_SIZE
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 12 U_INT_16
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 13 SPI
> Wed, 2018-03-21 13:57 12[ENC] <2>   generating rule 14 CHUNK_DATA
> Wed, 2018-03-21 13:57 12[ENC] <2> generating NOTIFY payload finished
> Wed, 2018-03-21 13:57 12[NET] <2> sending packet: from
> 192.168.111.16[500] to 172.56.42.131[42799] (299 bytes)
> Wed, 2018-03-21 13:57 01[JOB] next event in 3s 974ms, waiting
> Wed, 2018-03-21 13:57 04[NET] sending packet: from 192.168.111.16[500]
> to 172.56.42.131[42799]
> Wed, 2018-03-21 13:57 12[MGR] <2> checkin IKE_SA (unnamed)[2]
> Wed, 2018-03-21 13:57 12[MGR] <2> checkin of IKE_SA successful
> Wed, 2018-03-21 13:57 01[JOB] next event in 3s 973ms, waiting
> Wed, 2018-03-21 13:57 01[JOB] got event, queuing job for execution
> Wed, 2018-03-21 13:57 01[JOB] next event in 10s 8ms, waiting
> Wed, 2018-03-21 13:57 09[MGR] checkout IKEv2 SA with SPIs
> a8fad75e552dc267_i 2da2ca50f20be830_r
> Wed, 2018-03-21 13:57 09[MGR] IKE_SA (unnamed)[1] successfully checked out
> Wed, 2018-03-21 13:57 09[IKE] <1> sending keep alive to 172.56.42.131[41197]
> ---------------------------------------------------------------------------------------------------
> Yep sure did.  But did it make it to the IPSec gateway's interface?
> ---------------------------------------------------------------------------------------------------
> # tcpdump -i eth0 'port 4500'
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 14:15:11.790496 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.802477 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.802512 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.803176 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.806236 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.820669 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.823789 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:11.826228 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.797395 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.797418 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.797421 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.798041 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.803177 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.809077 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.814198 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:13.819611 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.617445 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.617505 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.617515 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.617526 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.617533 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.622776 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.630134 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:16.638712 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.528223 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.531369 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.531381 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.533833 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.533844 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.539615 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.544749 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:20.549253 IP 172.56.42.131.50806 >
> cygnus.darkmatter.org.ipsec-nat-t: NONESP-encap: isakmp: child_sa 
> ikev2_auth[I]
> 14:15:30.039021 IP cygnus.darkmatter.org.ipsec-nat-t >
> 172.56.42.131.50806: isakmp-nat-keep-alive
> ^C
> 33 packets captured
> 34 packets received by filter
> 0 packets dropped by kernel
> ---------------------------------------------------------------------------------------------------
> No, it didn't.  How can it not make it from the daemon to the only
> interface in the IPSec gateway?
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 


-- 
Tom Eastep        \   Q: What do you get when you cross a mobster with
Shoreline,         \     an international standard?
Washington, USA     \ A: Someone who makes you an offer you can't
http://shorewall.org \   understand
                      \_______________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to