[Openswan Users] Solved: Openswan with NETKEY and SuSEFirewall2

J. W. Andersen jwa at fasytek.dk
Wed Dec 3 12:37:32 EST 2008 

 From a lot of postings, I found myself not the only one struggling with
this configuration, so as I finally got it up and running, I thought I
would make my modest contribution to help others in the same situation.
What started the headache was of course the well-known problematic about
the missing ipsecx interfaces
in netkeys stack, and ipsecx was exactly the trick that SuSEfirewall2
and the old KLIPS used to hook on to.

I finally found a suggestion from Peter McGill - and thanks a bunch for
that. I removed a few statements, that were already present in my setup
and made some minor adjustments for my personal configuration, and there
it was.

Present configuration here is SuSE 11 with kernel 2.6.27.7 and OpenSwan
2.6.19 (NETKEY). It was tested against my old SuSE 10 server, using
kernel 2.6.20 and OpenSwan 2.4.7 (KLIPS), which has been running very
stable for a couple of years. Only interaction problem between the two
systems was about compression, which I finally turned off when I lost my
patience about the issue.  Instead of starting a separate bash job, I
modified the script

/etc/sysconfig/scripts/SuSEfirewall2-custom,    the
fw_custom_before_denyall()   section which now looks as follows:

----------------------------------------------------------------------------------------------
fw_custom_before_denyall() {

# Mark IPSec, and allow decrypted IPSec.
#
iptables -t mangle -A PREROUTING -p 17 --dport 500 -j MARK --set-mark 1
# udp/isakmp
iptables -t mangle -A PREROUTING -p 50 -j MARK --set-mark 1 # esp
iptables -t mangle -A PREROUTING -p 17 --dport 4500 -j MARK --set-mark 1
# udp/nat-t, only needed with nat-t
iptables -t filter -A INPUT -m mark --mark 1 -j ACCEPT
iptables -t filter -A FORWARD -m mark --mark 1 -j ACCEPT

# Accept outbound.
#
iptables -t filter -A OUTPUT -j ACCEPT
iptables -t filter -A FORWARD -s 192.168.224.0/24 -j ACCEPT

# Exempt IPSec from your NAT rules, if any...
#
# Note the -I because this needs to be before any SNAT or MASQUERADE rules.
#
iptables -t nat -I POSTROUTING -d 192.168.32.0/24 -j ACCEPT
#
    true
}
------------------------------------------------------------------------------------------

My local network is 192.168.224.0/24, and the remote net is
192.168.32.0/24. For more remote networks, simply add more POSTRUTINGs
(the last
statement, or adjust the maskbit value (/24) for adjacent netgroups.
Only thing more to do is to enable the mentioned script in
/etc/sysconfig/SuSEfirewall2
(the FW_CUSTOMRULES statement).

Have fun - regards, Joern.

More information about the Users mailing list