[Shorewall-users] IpSec problem from local box to company server

Les Hazelton seawolf@attglobal.net
Wed, 9 Jan 2002 15:39:52 -0500


This is a multi-part message in MIME format.

------=_NextPart_000_003F_01C19923.E1252EA0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I have a problem with my IpSec tunnels. They work for a few minutes and =
then die.  My firewall is running shorewall 1.2.2.  The connection to =
the net is via ppp0 dial. The local network interface is eth0 which =
connects to a LinkSys 10/100 switch. Most of the systems in the house =
are for personal use and don't use IpSec. They all work just fine. =20

The work system is a Thinkpad running Win98-SE and a Nortell Extranet =
IpSec client.  This all worked without a problem while I was using an =
older Linux kernel and Seawall for the firewall.  When I switched to a =
2.4.17 kernel and shorewall the IpSec problem started.

The message log shows an incomming udp packet rejected at ablut the same =
time as the tunnel failure.  See below:

Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D SRC=3D192.128.133.43 =
DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0x00 TTL=3D55 =
ID=3D21414 PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84=20
Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D SRC=3D192.128.133.43 =
DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0x00 TTL=3D55 =
ID=3D25250 PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84=20
.... and many more ...

I have not placed any entries in the /etc/shorewall/tunnels file because =
it looked to me like that was to define tunnels with endpoints on the =
firewall system.  All my tunnels should be masked from local through the =
firewall to a company server somewhere in the ether.

I would greatly appreciate any pointers - i.e., what am I doing wrong???

Les Hazelton

------=_NextPart_000_003F_01C19923.E1252EA0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2712.300" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>I have a problem with my IpSec tunnels. =
They work=20
for a few minutes and then die.&nbsp; My firewall is running shorewall=20
1.2.2.&nbsp; The connection to the net is via ppp0 dial. The local =
network=20
interface is eth0 which connects to a LinkSys 10/100 switch. Most of the =
systems=20
in the house are for personal use and don't use IpSec. They all work =
just=20
fine.&nbsp; </FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The work system is a Thinkpad running =
Win98-SE and=20
a Nortell Extranet IpSec client.&nbsp; This all worked without a problem =
while I=20
was using an older Linux kernel and Seawall for the firewall.&nbsp; When =
I=20
switched to a 2.4.17 kernel and shorewall the IpSec problem=20
started.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>The message log shows an incomming udp =
packet=20
rejected at ablut the same time as the tunnel failure.&nbsp; See=20
below:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D =
MAC=3D=20
SRC=3D192.128.133.43 DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 =
PREC=3D0x00 TTL=3D55 ID=3D21414=20
PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84 =
<BR>Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D=20
SRC=3D192.128.133.43 DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 =
PREC=3D0x00 TTL=3D55 ID=3D25250=20
PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84 <BR>.... and many more =
...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I have not placed any entries in the=20
/etc/shorewall/tunnels file because it looked to me like that was to =
define=20
tunnels with endpoints on the firewall system.&nbsp; All my tunnels =
should be=20
masked from local through the firewall to a company server somewhere in =
the=20
ether.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I would greatly appreciate any pointers =
- i.e.,=20
what am I doing wrong???</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Les Hazelton</FONT></DIV></BODY></HTML>

------=_NextPart_000_003F_01C19923.E1252EA0--