NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2003-q4

Re: [suse-security] ipsec freeswan - connection established successfully, but packets are dropped ...

From: Elite Mentor (m3n70ryahoo.com.br)
Date: Fri Oct 17 2003 - 08:34:51 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Markus, Andreas, et all...

I´m gonna do a major re-check on routing... for the n-th time.
My /proc/sys/net/ipv4 files are ok ... ip_forward=1 and
rp_filter=0.

In some doc I read that this communication has to work before I start ipsec... but that could only happen if I mask the packets. Should I try this before bringing up the ipsec?

About freeswan lists... I read a lot of emails at the archive but many of them with similar problems are unanswered... I just didn´t feel like posting one more there.

Thank you people!

EdK

Markus Feilner <listsfeilner-it.net> wrote:
Am Freitag, 17. Oktober 2003 08:28 schrieb Andreas Baetz:
> Ed,
>
> You could check the following:
> Is the routing between the subnets correct ?
> Do the packets arrive at the eth-Interface of your source GW ?
> Is forwarding switched on at the GW ?
>
> Andreas
(...)
>
A) I'm not quite sure if routing is correct, but ipsec works one-way (if
it's initiated from one side, so i think routing shoud be ok.)
forwarding is switched on.
here's an extract from tcpdump -i ipsec0 (on the right-hand-Server)
----------------
14:09:34.824650 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:34.852147 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:34.852393 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:35.824675 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:35.846827 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:35.847018 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:36.824670 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:36.847427 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:36.847605 192.168.0.4 > 192.168.89.12: icmp: echo reply
14:09:37.824697 217.229.160.84 > 192.168.89.12: icmp: echo request (DF)
14:09:37.851494 192.168.89.12 > 192.168.0.4: icmp: echo request
14:09:37.851698 192.168.0.4 > 192.168.89.12: icmp: echo reply
-------------------
As you can see, i managed to have leftside hosts ping to the right side
and get answers (ssh works, too). But the other way round, packets are
dropped. 217.229.160.84 is my current IP on the right side - is this
right? Shouldn't the local IP of the pinging host stand here?

route says:
-----------------right server--------------
Server:/ # route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
a.b.c.d * 255.255.255.255 UH 0 0 0
ppp0
a.b.c.d * 255.255.255.255 UH 0 0 0
ipsec0
10.0.0.0 * 255.255.255.0 U 0 0 0
eth0
192.168.0.0 * 255.255.255.0 U 0 0 0
eth1
192.168.89.0 * 255.255.255.0 U 0 0 0
ipsec0
default a.b.c.d 0.0.0.0 UG 0 0 0
ppp0
Server:/ #
(a.b.c.d is the p-t-p partner of my dsl conn)
------------------------------------------------
----------------left server--------------------
Server1:/ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 eth1
e.f.g.h 0.0.0.0 255.255.255.240 U 0 0 0 ipsec0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0
ipsec0
192.168.89.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
0.0.0.0 e.f.g.i 0.0.0.0 UG 0 0 0 eth1
Server1:/ #
with e.f.g.h the local (fixed) IP of the Subnet and e.f.g.i the IP of
Server1.
----------------------------------------------------

and eroute says:
-------------right-side------------------
Server:/ # ipsec eroute
4 192.168.0.0/24:0 -> 192.168.89.0/24:0 =>
tun0x1002e.f.g.i:0
Server:/ #
-------------left-side--------------------

Server1:/ # ipsec eroute
4 192.168.89.0/24:0 -> 192.168.0.0/24:0 =>
tun0x1004217.229.160.84:0
Server1:/ #
-------------------------------------------

Howerver, pings from a host in subnet 192.168.0.0 (=right) to the left
are dropped on interface ipsec0. But not if the connection has been
established from left-hand-side.
----------------------------dropped packets---------------

Server:/ # ifconfig ipsec0
ipsec0 Link encap:IPIP Tunnel HWaddr
inet addr:217.229.160.84 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:612 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:240 (240.0 b) TX bytes:448 (448.0 b)
Server:/ #
--------------------------------------------------------------
As you can see, four pakets came from left-side and were answered, but
the 612 pings from right to left were dropped.
Strange.
I'll take a deep look into my Firewall rules, but there should be no
such rule preventing that.
Are there any kernel runtime parameters concerning this?
I have all rp_filter = 0, ip_forward=1 - and what do i need more?

Any help is welcome!
--
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilnerfeilner-it.net

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

---------------------------------
Yahoo! Mail - o melhor webmail do Brasil. Saiba mais!

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]