[Openswan Users] Re: Netfilter/conntrack

Jason Sigurdur jason.sigurdur at ASPENVIEW.ORG
Fri Jan 21 13:07:55 CET 2005 

 
My external interface is eth0, how are 'new' ipESP connections going
throught the
Established relateded rule?


iptables -A IN_ETHX -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A IN_ETHX   -i ! eth0 -m state --state NEW -j ACCEPT
iptables -A IN_ETHX -p udp -i eth0 --dport 500 -j ACCEPT

iptables -A IN_ETHX -p 51 -i eth0 -j ACCEPT
iptables -A IN_ETHX -p 50 -i eth0 -j ACCEPT
iptables -A IN_ETHX -m limit --limit 1/s -j LOG \
 --log-level info --log-prefix "DROPPED_IN_ETHX: "
iptables -A IN_ETHX -j DROP

Thx jason

-----Original Message-----
From: users-request at openswan.org [mailto:users-request at openswan.org] 
Sent: Friday, January 21, 2005 4:00 AM
To: users at openswan.org
Subject: Users Digest, Vol 14, Issue 31

Send Users mailing list submissions to
	users at openswan.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	users-request at openswan.org

You can reach the person managing the list at
	users-owner at openswan.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Users digest..."


Today's Topics:

   1. Re: 2.3.0 has known issues (Ken Bantoft)
   2. Re: 2.3.0 has known issues (Ken Bantoft)
   3. Netfilter/conntrack (Jason Sigurdur)
   4. Re: Netfilter/conntrack (David Coulson)
   5. Re: Netfilter/conntrack (Tomasz Grzelak)
   6. Problem with vpn network (Nicole.Haehnel)


----------------------------------------------------------------------

Message: 1
Date: Thu, 20 Jan 2005 15:52:48 -0500
From: Ken Bantoft <ken at xelerance.com>
Subject: Re: [Openswan Users] 2.3.0 has known issues
To: "Gary W. Smith" <gary at primeexalia.com>
Cc: users at openswan.org
Message-ID: <41F01A20.1060105 at xelerance.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


Known issues:

1) There *seems* to be a rekey bug, where rekeying doesn't work.  
However, we can't duplicate this consistantly, or even twice in a row
2) Rene (Debian Maintainer) reports some core dumps, but no 
backtrace/logs/config etc... and we haven't been able to get any more 
information.
3) There is a security hole if you enable both XAUTH + PAM (which is not 
on unless you manually edit Makefile.inc and recompile) in pluto.  That 
one is fixed in CVS (PRE2_3 branch, and HEAD)

So no, your problem is not known...


Gary W. Smith wrote:

> Paul,
>  
> known issues seems to be a real vague listing...  :) 
>  
> I'm trying to toubleshoot a problem with one end of the tunnel 
> freezing when large packets are being transmitted.  Unfortunately the 
> remote terminal is in a telco closet with no monitor so I can't have 
> my guy see if the entire machine is hung or if the network is the only 
> think being affected. 
>  
> It happens happens on "ping -l 30000".  Tunnel keeps dying under 
> load.  You can ping until your hearts content with normal ping and 
> about 2 seconds after running the 30k the other end of the tunnel 
> hangs.  We had been fighting a problem earlier where two servers had 
> lost communication from each other. 
>  
> Is this one of those issues?
>  
> Gary Smith
>
> ------------------------------------------------------------------------
> *From:* users-bounces at openswan.org on behalf of Paul Wouters
> *Sent:* Tue 1/18/2005 7:03 AM
> *To:* users at openswan.org
> *Subject:* [Openswan Users] 2.3.0 has known issues
>
>
> Hi guys,
>
> This is just to let you know that we have found various serious problems
> with 2.3.0 that cause many problems for tunnels and rekeying.
>
> Please use 2.2.x until we release 2.3.1.
>
> Sorry for the troubles,
>
> Paul
> _______________________________________________
> Users mailing list
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Users mailing list
>Users at openswan.org
>http://lists.openswan.org/mailman/listinfo/users
>  
>


------------------------------

Message: 2
Date: Thu, 20 Jan 2005 15:55:16 -0500
From: Ken Bantoft <ken at xelerance.com>
Subject: Re: [Openswan Users] 2.3.0 has known issues
To: Nate Carlson <natecars at natecarlson.com>
Cc: users at openswan.org
Message-ID: <41F01AB4.5020305 at xelerance.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed


Not the rekey bug, or Rene's coredumping problem.  mcr, paul, patrick 
and myself are all running 2.3.0 on every production box we've got, and 
all the test servers too.  Still haven't hit either bug... which isn't 
comforting.  Either they are environmental (network oddities, or 
compiler/lib versions) or they are config related, and without more 
information we haven't been able to duplicate them.

Nate Carlson wrote:

> On Tue, 18 Jan 2005, Paul Wouters wrote:
>
>> This is just to let you know that we have found various serious 
>> problems with 2.3.0 that cause many problems for tunnels and rekeying.
>>
>> Please use 2.2.x until we release 2.3.1.
>
>
> Are the problems already patched in CVS, or not?



------------------------------

Message: 3
Date: Thu, 20 Jan 2005 16:05:51 -0700
From: Jason Sigurdur <jason.sigurdur at ASPENVIEW.ORG>
Subject: [Openswan Users] Netfilter/conntrack
To: "'users at openswan.org'" <users at openswan.org>
Message-ID:
	
<08D2636915B90D4FADE116B548E5A516D6C474 at s142-179-184-97.ab.hsia.telus.net>
	
Content-Type: text/plain

Hi, I have just noticed that with using the following rules on my external
interface that the
Ipsec "ESP" packets go throught the 'ESTABLISHED,RELATED' rule. IF I comment
out the lines with the
-p 50 and -p 51 and restart ipsec it still uses the 'ESTABLISHED RELATED'
rule?

What is happening here?

Thx jason

iptables -A IN_ETHX -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A IN_ETHX  ! -i eth0 -m state --state NEW -j ACCEPT
iptables -A IN_ETHX -p udp -i eth0 --dport 500 -j ACCEPT

iptables -A IN_ETHX -p 51 -i eth0 -j ACCEPT
iptables -A IN_ETHX -p 50 -i eth0 -j ACCEPT
iptables -A IN_ETHX -m limit --limit 1/s -j LOG \
 --log-level info --log-prefix "DROPPED_IN_ETHX: "
iptables -A IN_ETHX -j DROP

------------------------------

Message: 4
Date: Thu, 20 Jan 2005 18:12:44 -0500
From: David Coulson <david at davidcoulson.net>
Subject: Re: [Openswan Users] Netfilter/conntrack
To: Jason Sigurdur <jason.sigurdur at ASPENVIEW.ORG>
Cc: "'users at openswan.org'" <users at openswan.org>
Message-ID: <41F03AEC.5070207 at davidcoulson.net>
Content-Type: text/plain; charset=us-ascii; format=flowed



Jason Sigurdur wrote:

> Hi, I have just noticed that with using the following rules on my external
> interface that the
> Ipsec "ESP" packets go throught the 'ESTABLISHED,RELATED' rule. IF I
comment
> out the lines with the
> -p 50 and -p 51 and restart ipsec it still uses the 'ESTABLISHED RELATED'
> rule?
> 
> What is happening here?

Check /proc/net/ip_conntrack. Restarting IPSec won't drop the tracked 
ESP/AH/IKEKMP connections from the kernel.

David

------------------------------

Message: 5
Date: Fri, 21 Jan 2005 07:46:05 +0100
From: Tomasz Grzelak <tgrzelak at wktpolska.com.pl>
Subject: Re: [Openswan Users] Netfilter/conntrack
To: users at openswan.org
Message-ID: <200501210746.05954.tgrzelak at wktpolska.com.pl>
Content-Type: text/plain;  charset="iso-8859-2"

Dnia pi± 21. stycznia 2005 00:05, Jason Sigurdur napisa³:
> Hi, I have just noticed that with using the following rules on my external
> interface that the
> Ipsec "ESP" packets go throught the 'ESTABLISHED,RELATED' rule. IF I
> comment out the lines with the
> -p 50 and -p 51 and restart ipsec it still uses the 'ESTABLISHED RELATED'
> rule?
>
> What is happening here?
>
> Thx jason
>
> iptables -A IN_ETHX -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A IN_ETHX  ! -i eth0 -m state --state NEW -j ACCEPT

I'm not sure if I understand you well, but the two lines above accept all
the 
established and related connections, and all incoming connections except for

the eth0 interface. This also includes the AH and ESP, because you did NOT 
specify protocols in these two lines. So no matter the rest of the rules, 
incoming IPSec will work (and other protocols), but only if it does not use 
the eth0 interface, beacuse it will match the second rule. The rest of 
connection will match the first rule.
By the way, you have '! -i eth0' - shouldn't it be '-i ! eth0' ?

Tom

------------------------------

Message: 6
Date: Fri, 21 Jan 2005 10:02:31 +0100
From: "Nicole.Haehnel" <nicole.haehnel at gmx.net>
Subject: [Openswan Users] Problem with vpn network
To: users at openswan.org
Message-ID: <41F0C527.8030200 at gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi,

I have a problem with our vpn network.

We have 4 vpnservers with static ips (VPN1 VPN4) and about 6 vpnservers  
(PC1 -PC6) with dynamic ips connectet over dsl.
The number our servers grows...
On all locations we have novell edirectory running,
that means every server has to contact all other servers on all other 
locations.

The problem are the dynamic ips, which I don't know to connect them.
For this reason I made the tunnels f.e. from PC1 over VPN1 to PC2 - PC6.
So we have on VPN1 about 64 tunnels, on VPN2 - VPN4 10 tunnels and on 
PC1 - PC6 also 10 tunnels.

Now I have the problem that connections were completely lost or
"ipsec look" says the tunnel is still there but I can't send any 
package, no ping or something else is going through the tunnel.
And it's most on VPN1.
Maybe to many tunnels on VPN1?

We have also one server behind a dsl router with vpn passthrough 
function. There are two tunnels to VPN1 with different networks.
Tunnels working, but after a few hours I can't ping, although the 
tunnels are up.
It's because the dsl router?

Hown can I build our vpn network better or with fewer tunnels?
Maybe only one tunnel from PC1 - PC6 to VPN1 - VPN4 and then with 
routing entries to the other locations.
Do I need ipsec eroute to do that?

Do you need more information about the networks or the ipsec.conf?

Thanks!

Nicole

------------------------------

_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users


End of Users Digest, Vol 14, Issue 31
*************************************

More information about the Users mailing list