[Shorewall-users] New style ipsec tunnels in Linux 2.6
fraser at wehave.net
Thu Dec 11 21:13:58 PST 2003
I am experimenting with the ipsec support built into the linux 2.6 kernel
(using a backport of the 2.6 ipsec stack to 2.4.22). The vpn side of things
is working fine but I'm having some problems with shorewall since this ipsec
implementation doesn't use a dedicated device for decrypted traffic (i.e.
ipsec0 or tun0).
Here's a tcpdump showing traffic on my external interface (ppp0):
tcpdump: listening on ppp0
20:21:59.439357 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4b)
20:21:59.439357 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
20:22:00.438199 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4c)
20:22:00.438199 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
20:22:01.437490 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4d)
20:22:01.437490 10.42.42.2 > 10.142.254.1: icmp: echo request (DF)
The decrypted traffic is being denied since it's recognized as part of my net
zone, instead of as part of my vpn zone:
Dec 11 20:27:03 torridon kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth0
SRC=10.42.42.2 DST=10.142.254.1 LEN=84 TOS=0x00 PREC=0x00 TTL=62
ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5389 SEQ=2304
Here's how I've tried to set it up ...
net Net Internet
loc Local Local networks
vpn VPN Office LAN
loc eth0 detect
# This just doesn't feel right
generic:esp net remote_gw # remote_gw is really IP address
Does anyone have any ideas? I've looked at all of the tunnelling exampes that
I can find in the docs but none of them seem to quite fit this situation.
I've manually "fixed" shorewall for now by adding the following rule to
run_iptables -I net2all 3 -i ppp0 -o eth0 -s 10.42.42.0/24 \
-d 10.142.254.0/24 -j ACCEPT
If anyone thinks they can help me out with this I'd be happy to include more
information on my config. My apologies if I've missed an FAQ or something
obvious in the docs.
Fraser Campbell <fraser at wehave.net> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
More information about the Shorewall-users