SuSEfirewall2 and VPN

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SuSEfirewall2 and VPN

Christian
Hi list-users,

trying to setup SuSEfirewall2 (SuSE 9.3) to work with IPSEC, but with no
success.
tunnel is up, but packets who should go through tunnel did not go through.

Any help would be appreciated.

Here some info about my config:

I'm using DSL with fixed IP.

VARS from SuSEfirewall2:
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1" # eth0 192.168.101.0/24
FW_MASQ_NETS="192.168.101.0/24 172.16.17.0/29 0/0,!192.168.2.0/24"
FW_SERVICES_EXT_UDP="37 53 123 500 873 922 2401 4500"
FW_SERVICES_EXT_IP="esp"
FW_FORWARD="\
172.16.17.0/29,192.168.101.0/24,ICMP \
192.168.101.0/24,172.16.17.0/29,ICMP \
172.16.17.0/29,192.168.101.220,tcp,19226 \
192.168.101.220,172.16.17.0/29,tcp,19226 \
192.168.101.0/24,192.168.2.0/24,,,ipsec \
192.168.2.0/24,192.168.101.0/24,,,ipsec \
192.168.101.0/24,192.168.68.0/24,,,ipsec \
192.168.68.0/24,192.168.101.0/24,,,ipsec"
FW_IPSEC_TRUST="no"

##################

hades:/etc/sysconfig # iptables -L -n -t nat
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  192.168.101.0/24     0.0.0.0/0
MASQUERADE  all  --  172.16.17.0/29       0.0.0.0/0
MASQUERADE  all  --  0.0.0.0/0           !192.168.2.0/24

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

##################
hades:/etc/sysconfig # setkey -D
xxx.xxx.xxx.188 xxx.xxx.xxx.138
        esp mode=tunnel spi=3117414419(0xb9cff813) reqid=16385(0x00004001)
        E: 3des-cbc  334fec87 9c497e97 2ee43f9b d70dfe2a 65ae72e0 cb08c64b
        A: hmac-md5  177d6696 9e1143ec 102ec467 f2e8d9bf
        seq=0x00000000 replay=32 flags=0x00000000 state=mature
        created: Sep  4 18:29:37 2006   current: Sep  4 21:36:02 2006
        diff: 11185(s)  hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=28506 refcnt=0
xxx.xxx.xxx.138 xxx.xxx.xxx.188
        esp mode=tunnel spi=2811047203(0xa78d2d23) reqid=16385(0x00004001)
        E: 3des-cbc  47767294 28a98de2 34a641be e1606fcc 16837566


-----------------------------------------
Diese E-Mail wurde durch SquirrelMail versandt
   "Webmail for nuts!"
-----------------------------------------
Bereitgestellt fuer Kunden von Scorpio IT
http://www.scorpio-it.net


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here