shorewall-users January 2012 archive
Main Archive Page > Month Archives  > shorewall-users archives
shorewall-users: Re: [Shorewall-users] net2fw:DROP for L2TP VPN

Re: [Shorewall-users] net2fw:DROP for L2TP VPN

From: Chris Morley <g18c_at_nospam>
Date: Fri Jan 20 2012 - 20:35:14 GMT
To: <shorewall-users@lists.sourceforge.net>

Thanks for the reply Tom. Although i can connect internally to the L2TP server running on the firewall, all external attempts do not work. I have checked and double checked the procedure as below: 1) vpn added to zones:
#ZONE TYPE
vpn ipsec
l2tp ipv4
net ipv4
loc ipv4
fw firewall 2) interfaces specified:
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 - dhcp,tcpflags,nosmurfs,logmartians
loc eth0 detect dhcp,tcpflags,nosmurfs,routefilter,logmartians
l2tp ppp+ -
3) ipsec specified in tunnels:
#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 vpn 4) vpn zone defined in hosts
#ZONE HOSTS OPTIONS
vpn eth0:0.0.0.0/0 5) Policy set:
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW all ACCEPT
loc $FW ACCEPT
loc net ACCEPT
# policy for inbound L2TP zone
loc l2tp ACCEPT
l2tp loc ACCEPT
l2tp net ACCEPTloc vpn ACCEPT
vpn loc ACCEPT
vpn $FW ACCEPT
# The FOLLOWING POLICY MUST BE LAST
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE 6) rules set:#ACTION SOURCE DEST PROTO
DNS(ACCEPT) $FW net
SSH(ACCEPT) loc $FW
Ping(ACCEPT) loc $FW
L2TP(REJECT) net $FW
REJECT $FW net udp - 1701
ACCEPT vpn $FW udp 1701
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE I must have messed up somewhere as now i see lots of log messages: 1.6.160 LEN=134 TOS=0x02 PREC=0x00 TTL=109 ID=16558 PROTO=UDP SPT=1116 DPT=6881 LEN=114 MARK=0x100
Jan 20 20:36:49 router kernel: [39805.141804] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=121.54.58.135 DST=2.51.6.160 LEN=58 TOS=0x00 PREC=0x00 TTL=103 ID=64768 PROTO=UDP SPT=27560 DPT=6881 LEN=38 MARK=0x100
This l2tp2fw chain is blocking Peer-to-Peer traffic and i dont understand why (would have though it should fall through to default deny policy). If anyone would be kind enough to advise what i can try next or what i have done wrong above, it would be much appreciated. Shorewall dump attached for reference. Thanks for the help, Chris Date: Fri, 20 Jan 2012 03:12:15 +0400
From: g18c@hotmail.com
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN

Hi just to say I think I may have spotted the issue will advise tomorrow. Please disregard previous post for now.

Thanks,

Chris

Sent from Samsung Galaxy Note

-------- Original message --------

Subject: Re: [Shorewall-users] net2fw:DROP for L2TP VPN

From: Chris Morley <g18c@hotmail.com>

To: shorewall-users@lists.sourceforge.net

CC:

> From the messages you are seeing, it looks like you don't have ipsec*

> entries in /etc/shorewall/tunnels.

 

Hi Tom,

 
Thanks for the reply. I have added the tunnels to now show:
 
#TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 vpn
 
Also by changing the zones file from:
 
fw firewall

vpn ipsec

l2tp ipv4

ukvpn ipv4

net ipv4

loc ipv4

To the following:
 
vpn ipsec

l2tp ipv4

ukvpn ipv4
fw firewall

net ipv4

loc ipv4

An internal machine can now connect OK and get assigned an IP address via L2TP, this order does seem to effect things. So i know the VPN is working even with the firewall rules enabled for internal clients, just not for external clients.
 
For external clients, i am still seeing similair bounce messages:
 
Jan 19 22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100
 
As a hack, I then tried adding a policy:
 
l2tp fw ACCEPT
 
Although the REJECT messages were no longer shown in the log, the VPN still timed out for the external users. So I then removed this line again. Now my policy just shows:
 
fw all ACCEPT

loc fw ACCEPT

loc net ACCEPT
# policy for inbound L2TP zone

loc l2tp ACCEPT

l2tp loc ACCEPT

l2tp net ACCEPT

loc vpn ACCEPT

vpn loc ACCEPT

vpn fw ACCEPT
net all DROP info

# THE FOLLOWING POLICY MUST BE LAST

all all REJECT info

Since I have made some changes I have re-dumped the status for this config. Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours tonight no dice i must be doing something silly just cant see it. Hopefully fresh mind tomorrow will
 help!
 
Regards,
 
Chris
 
 

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users