[Shorewall-users] Need help with IPSEC, net view and shorewall

Alois Schneider alois@sillian.com
Sat, 06 Apr 2002 11:21:35 +0200


--On Freitag, 5. April 2002 13:56 -0800 Tom Eastep <teastep@shorewall.net> 
wrote:

> On Fri, 5 Apr 2002, Alois Schneider wrote:
>
>>
>>
>> --On Freitag, 5. April 2002 12:55 -0800 Tom Eastep
>> <teastep@shorewall.net> wrote:
>>
>> > On Fri, 5 Apr 2002, Alois Schneider wrote:
>> >
>> >> > You need UDP port 500 and protocols 51 and 51 open to this user's
>> >> > system. After a period of inactivity, either end of a VPN tunnel can
>> >> > suddenly become active; if iptables connection tracking has timed
>> >> > out the connection and the remote end is the first to speak, you
>> >> > will see problems like you describe.
>> >>
>> >> Where do I have to open UDP port 500 and protocols 51?
>> >>
>> >
>> > In the rules file.
>> >
>>
>> I have the following configuration:
>>
>> interfaces:
>> # ZONE    INTERFACE      BROADCAST       OPTIONS
>> net     eth0    x.x.x.x          norfc1918
>> loc     tr0        192.168.1.255          routestopped
>> dmz     eth1   192.168.10.255        routestopped
>> loc	ipsec0
>>
>> zones:
>> net	Net		Internet
>> loc	Local	Local Networks
>> dmz	DMZ	Demilitarized zone
>>
>> are these rules correct?
>> ACCEPT		loc	net		udp	500
>> ACCEPT		loc	net		51
>>
>> or do I neede the rules the other way round?
>>
>
> Assuming that your loc->net policy is ACCEPT, you need the rules the other
> way around.
>

Ok, I added the rules *) but the problem still exists. After some time of 
inactivity I cannot ping across the tunnel and get the following errors:

*) ACCEPT		net	loc		udp	500
   ACCEPT		net	loc		51
and
loc	net		ACCEPT in policy



Shorewall:all2all:REJECT:IN= OUT=ipsec0 SRC=x.x.x.x DST=y.y.y.y LEN=328 
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=308
Pluto[15685]: "Alois" y.y.y.y #3: responding to Quick Mode
Pluto[15685]: ERROR; "Alois" y.y.y.y #3: sendto y.y.y.y:500 failed in 
STATE_QUICK_R0. Errno1: Operation not permitted
Pluto[15685]: "Alois" y.y.y.y #3: ERROR: asynchronous network error report 
on eth0 for message to y.y.y.y port 500, complainant x.x.x.x: Connection 
refused
Pluto[15685]: "Alois" y.y.y.y #3: discarding duplicate packet; allready 
STATE_QUICK_R1

Thank you for your help,
Alois