Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
[suse-security] VPN and SuSEfirewall2
From: Jonathan Baxter (jbaxterpanscient.com)
Date: Thu Apr 27 2006 - 01:06:13 CDT
Please excuse me if this is not the correct forum for VPN and firewall issues
I am trying to setup an ipsec VPN between two private subnets, and I have run
into a snag that I cannot resolve. The VPN establishes itself fine, and I can
connect from any machine on the right subnet to any machine on the left
subnet, but not vice versa.
Here's the setup:
"a.a.a.a" is the external interface of a SuSE 10.0 box which masquerades
machines on the internal 192.168.1.0/24 subnet. "b.b.b.b" is its nexthop
"d.d.d.d" is the external interface of my home linksys AG241 DSL router.
"c.c.c.c" is its nexthop router (at the ISP).
I have an ipsec, pre-shared key tunnel from a.a.a.a to d.d.d.d. The SuSE box
is running it with OpenSwan, the linksys router is just set up via the normal
linksys configuration (which may well be OpenSwan under the hood).
Everything works fine from right-to-left - ie all machines on the
192.168.200.0 subnet behind the linksys router can see all machines on the
192.168.1.0 subnet behind the SuSE box.
But nothing works from left-to right; neither the SuSE router box itself, nor
from any machines on the 192.168.1.0 subnet behind it can see any machines on
the 192.168.200.0 subnet at the other end of the tunnel.
This seems to me like it must be a routing problem, but I can't for the life
of me work out how to fix it.
I am running SuSEfirewall2 on the SuSE router. I have explicitly enabled
forwarding between the two subnets by setting FW_FORWARD
I have explicitly disabled NAT of packets between the two subnets by adding
the following line to the fw_custom_before_port_handling() section
iptables -t nat -A POSTROUTING -o eth2 -s 192.168.1.0/24 -d \!
192.168.200.0/24 -j MASQUERADE
the tunnel config in /etc/ipsec.conf looks like:
# Key exchange method
# Left security gateway, subnet behind it, nexthop toward right.
# Right security gateway, subnet behind it, nexthop toward left.
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here