headers
Timothy Selivanow | 1 May 2008 17:56

Need help getting IPSEC VPN to work with Shorewall

I've looked at a number of docs for a couple of days now, and while I've
made some progress, I've hit a wall that is baffling me.

I've attached the output of `shorewall dump` from the two machines.
Both are running CentOS 5, Shorewall 3.4.6 (I'm willing to upgrade, but
I didn't think that the conf would be too different than 4.x, so I
wanted to get the VPN up first), and both are using the 'Red Hat' way of
configuring IPSEC (as you can see from the output of `shorewall dump`,
the VPN does negotiate...) and it is a network-to-network tunnel.

On one host (calling it 'host1' in this email) when ever I try to ping
the other network (other is 192.168.42.0, and it doesn't matter what
host I try to ping, from what host), I get logs like the following:

Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.47.1 DST=192.168.42.1
LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=55376 SEQ=1

On the other host (calling it 'host2'), I get a completely different
log:

Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=69.30.99.148 DST=69.30.46.20
LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=25966 DF PROTO=ESP SPI=0xccd0a1c

Host1 is a Xen server, with the following network configurations:
#Interface	Xen bridge	Role/routing/forwarding
eth0		xenbr0		plain bridge, 69.30.46.0/24
dummy0		xenbr1		NAT to eth0, 192.168.47.0/24
dummy1		xenbr2		nothing, 10.42.47.0/24
(Continue reading)

Permalink | Reply | 3 comments |
headers
Roberto C. Sánchez | 1 May 2008 20:18
Favicon

Re: Need help getting IPSEC VPN to work with Shorewall

I have to run now, so I can't look at the dumps.  I am just going to
make some guesses.

On Thu, May 01, 2008 at 08:56:28AM -0700, Timothy Selivanow wrote:
> 
> Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.47.1 DST=192.168.42.1
> LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
> ID=55376 SEQ=1
> 
Your policy file does not specify a policy for traffic going out into
the tunnel.  Your all2all policy is to REJECT, hence the rejection.
Either that, or you need routeback in the interfaces file and you don't
have it.

> 
> Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=69.30.99.148 DST=69.30.46.20
> LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=25966 DF PROTO=ESP SPI=0xccd0a1c
> 
This one almost certainly looks like it is missing routeback.  Your src
address is the one you note below as being part of eth0's segment.
However, the dst address and out interface are heading to eth0.

I'll try and look more later.

Regards,

-Roberto

--

-- 
Roberto C. Sánchez
(Continue reading)

Permalink | Reply | 0 comments |
headers
Tom Eastep | 1 May 2008 22:02
Favicon

Re: Need help getting IPSEC VPN to work with Shorewall

Timothy Selivanow wrote:
> I've looked at a number of docs for a couple of days now, and while I've
> made some progress, I've hit a wall that is baffling me.

That's because you are trying to use ESP within AH. None of the
Shorewall documents cover that setup since AH is rarely used and the
method for defining its use to Netfilter is pretty much undocumented.

Getting this to work with Shorewall is going to take a lot of time, a
lot of experimentation and acquiring a lot of knowledge about how both
the Netfilter 'policy' match works and how IPSEC works. I personally
don't have the time right now to get involved.

Sorry,
-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
(Continue reading)

Permalink | Reply | 1 comment |
headers
Benedict simon | 4 May 2008 10:08
Picon
Favicon

query regarding shorewall

Dear All,

I would like to know if shorewall works perfectly on Ubuntu 8.04.
has anybody been using it and which version of shorewall

apprecite your help

thnks and regards

-- 
Network ADMIN
-------------
KUWAIT MUNICIPALITY:

--

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100.
(Continue reading)

Permalink | Reply | 3 comments |
headers
Paul Gear | 4 May 2008 12:43
Picon

Re: query regarding shorewall

Benedict simon wrote:
> Dear All,
> 
> I would like to know if shorewall works perfectly on Ubuntu 8.04.
> has anybody been using it and which version of shorewall
> 
> apprecite your help

It works perfectly on 7.10, so it's very unlikely that it will have any
major problems on 8.04.  That said, i haven't upgraded any Shorewall
systems to 8.04 yet, so i can't say that it works perfectly.  But you
should be confident.  I use Roberto's etch packages by putting the
following in /etc/apt/sources.list.d/shorewall.list:
deb http://people.connexer.com/~roberto/debian/ etch main

Paul

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 0 comments |
headers
Mekabe Ramein | 4 May 2008 12:49
Picon

various logs activated - how to disable

Hi,
 
My Shorewall was working fine without any problems. I was managing it through the webmin module.
I was not receiving any unwanted logs.
Then I just wanted to see the logging feature and enabşed some logs from the webmin shorewall module. (debug level)
Now I am receiving a lot of logs all in kern.log, debug and syslog files.
Also my "dmesg" output is full of shorewall logs.
 
I want to get rid of them. How can I disable all logging facility of Shorewall ?
 
Btw, I disable what I activated from the webmin module and now it is disabled on the GUI.
 
I need urgent help.
 
Thanks...
 
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 20 comments |
headers
Paul Gear | 4 May 2008 14:49
Picon

Re: various logs activated - how to disable

Mekabe Ramein wrote:
> Hi,
> 
> My Shorewall was working fine without any problems. I was managing it
> through the webmin module.
> I was not receiving any unwanted logs.
> Then I just wanted to see the logging feature and enabşed some logs from the
> webmin shorewall module. (debug level)
> Now I am receiving a lot of logs all in kern.log, debug and syslog files.
> Also my "dmesg" output is full of shorewall logs.
> 
> I want to get rid of them. How can I disable all logging facility of
> Shorewall ?
> 
> Btw, I disable what I activated from the webmin module and now it is
> disabled on the GUI.

Which part did you enable logging on?  If the policies or the rules
file, use the appropriate webmin button to edit the config file
manually.  In the policies file the log level is the 4th field.  Delete
it on each non-comment line where it occurs.  In the rules file it is
after the action preceeded by a colon, e.g. REJECT:debug.  Delete the
colon and the log level.

Paul

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 19 comments |
headers
Mekabe Ramein | 4 May 2008 15:10
Picon

Re: various logs activated - how to disable

I had enabled it on policies and I've checked the policies file but there is no "log" or "LOG" in it.
Also in the rules file there is no "log" or "LOG"
 
Here are the files that include "log" or "LOG":
 
router:~# grep log /etc/shorewall/*
/etc/shorewall/shorewall.conf:LOGFILE=/var/log/shorewall
/etc/shorewall/start:run_iptables -I INPUT -i br0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug
/etc/shorewall/start:run_iptables -I FORWARD -i br0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug
/etc/shorewall/start:run_iptables -I FORWARD -o br0 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug
/etc/shorewall/start:run_iptables -I OUTPUT -o br0 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug

router:~# grep LOG /etc/shorewall/*
/etc/shorewall/shorewall.conf:LOGFILE=/var/log/shorewall
/etc/shorewall/shorewall.conf:LOGFORMAT="Shorewall:%s:%s:"
/etc/shorewall/shorewall.conf:LOGTAGONLY=No
/etc/shorewall/shorewall.conf:LOGRATE=
/etc/shorewall/shorewall.conf:LOGBURST=
/etc/shorewall/shorewall.conf:LOGALLNEW=
/etc/shorewall/shorewall.conf:BLACKLIST_LOGLEVEL=
/etc/shorewall/shorewall.conf:MACLIST_LOG_LEVEL=$LOG
/etc/shorewall/shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
/etc/shorewall/shorewall.conf:RFC1918_LOG_LEVEL=$LOG
/etc/shorewall/shorewall.conf:SMURF_LOG_LEVEL=$LOG
/etc/shorewall/shorewall.conf:LOG_MARTIANS=No
/etc/shorewall/start:run_iptables -I INPUT -i br0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug
/etc/shorewall/start:run_iptables -I FORWARD -i br0 -j LOG --log-prefix BANDWIDTH_IN: --log-level debug
/etc/shorewall/start:run_iptables -I FORWARD -o br0 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug
/etc/shorewall/start:run_iptables -I OUTPUT -o br0 -j LOG --log-prefix BANDWIDTH_OUT: --log-level debug

 
On 5/4/08, Paul Gear <paul <at> gear.dyndns.org> wrote:
Mekabe Ramein wrote:
> Hi,
>
> My Shorewall was working fine without any problems. I was managing it
> through the webmin module.
> I was not receiving any unwanted logs.
> Then I just wanted to see the logging feature and enabşed some logs from the
> webmin shorewall module. (debug level)
> Now I am receiving a lot of logs all in kern.log, debug and syslog files.
> Also my "dmesg" output is full of shorewall logs.
>
> I want to get rid of them. How can I disable all logging facility of
> Shorewall ?
>
> Btw, I disable what I activated from the webmin module and now it is
> disabled on the GUI.

Which part did you enable logging on?  If the policies or the rules
file, use the appropriate webmin button to edit the config file
manually.  In the policies file the log level is the 4th field.  Delete
it on each non-comment line where it occurs.  In the rules file it is
after the action preceeded by a colon, e.g. REJECT:debug.  Delete the
colon and the log level.

Paul


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Shorewall-users mailing list
Shorewall-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 18 comments |
headers
Tom Eastep | 4 May 2008 17:04
Favicon

Re: query regarding shorewall

Benedict simon wrote:
> Dear All,
> 
> I would like to know if shorewall works perfectly on Ubuntu 8.04.
> has anybody been using it and which version of shorewall

The official Ubuntu repositories include shorewall-4.0.6 which works fine. 
I've also successfully used the 4.0.10 version from the Debian Shorewall 
maintainer's repository (http://people.connexer.com/~roberto/debian/).

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 1 comment |
headers
Tom Eastep | 4 May 2008 17:18
Favicon

Re: various logs activated - how to disable

Mekabe Ramein wrote:
> I had enabled it on policies and I've checked the policies file but there is
> no "log" or "LOG" in it.

Of course there isn't.

Webmin provides an interface that allows you to point and click rather than 
use a text editor. It does not do your thinking and learning for you.

If you want to know how the policy file works, at a shell prompt type "man 
policy" or go to http://www.shorewall.net/manpages/shorewall-policy.html and 
read. There you will find that the LOG LEVEL column contains a syslog level. 
Don't know what a syslog level is? Then start by reading 
http://www1.shorewall.net/shorewall_logging.html. You will also learn there 
that Shorewall itself does almost no logging and that the log messages that 
you are seeing are generated by Netfilter and are routed to the various log 
destinations by syslog (or syslog-ng).

Finally, I advise against disabling logging completely. The sample 
configurations described at 
http://www.shorewall.net/shorewall_quickstart_guide.htm provide sensible 
default settings.

-Tom
--

-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep <at> shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Permalink | Reply | 0 comments |

Gmane