Discussion:
[Shorewall-users] How could I open Port 1701 for VPN l2tp/ipsec
t***@gmx.de
2012-12-29 23:40:52 UTC
Permalink
Hello Mailinglist,

please excuse my bad english - but I am not a native speaker.

My Network looks like this:

Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X)

No I try to connect my iphone (from mobile Internet G3) over VPN
(l2tp/ipsec) with the firewall.

But I can´t open the necessary Port 1701.

/var/log/syslog
...
Dec 30 00:24:29 router kernel: [226128.293757]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:ae:d0:00:00:2d:11:bd:e5:50:bb:60:4f:54:39:1b:64:0a:98
SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=44752 PROTO=UDP SPT=62933 DPT=1701 LEN=75
Dec 30 00:24:30 router kernel: [226129.093450]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:92:d2:00:00:2d:11:d9:e3:50:bb:60:4f:54:39:1b:64:0a:98
SRC=80.187.96.79 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=37586 PROTO=UDP SPT=62933 DPT=1701 LEN=75
...

How could I opten Port 1701 for VPN l2tp/ipsec?


Thank you!

Like the description in http://www.shorewall.net/IPSEC-2.6.html I tried
to configure:

/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
vmn ipv4 <--- subnet for virtual machines
dmz ipv4
ovpn ipv4 <--- subnet for open-vpn (but iPhone don´t run with open-vpn)
wlan ipv4
vpn1 ipv4 <--- old VPN over pptp - but unsure -> in future should be
l2tp/ipsec
vpn2 ipsec <--- new entry
l2tp ipv4 <--- new entry
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/shorewall/interfaces
net ppp0 detect tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
dmz eth2 detect tcpflags,detectnets,nosmurfs
ovpn tun0 detect tcpflags,detectnets,nosmurfs
wlan eth3 detect tcpflags,dhcp,detectnets,nosmurfs
vpn1 ppp1 detect tcpflags,detectnets,nosmurfs
vmn eth4 detect tcpflags,detectnets,nosmurfs
l2tp ppp2 -

/etc/shorewall/policy
...
# Policies für l2tp
#
l2tp net ACCEPT info
l2tp loc ACCEPT info
l2tp vmn ACCEPT info
l2tp wlan ACCEPT info
l2tp dmz REJECT info
l2tp $FW REJECT info
l2tp all REJECT info
loc l2tp ACCEPT info

/etc/shorewall/rules
...
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW
#REJECT $FW net udp - 1701
# l2tp over the IPsec VPN
ACCEPT vpn2 $FW udp 1701
# webserver that can only be accessed internally
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW
ACCEPT net l2tp udp 1701
ACCEPT l2tp net udp 1701
ACCEPT l2tp $FW udp 1701
ACCEPT $FW l2tp udp 1701
ACCEPT net vpn2 udp 1701
ACCEPT vpn2 net udp 1701
ACCEPT vpn2 $FW udp 1701
ACCEPT $FW vpn2 udp 1701
Roberto C. Sánchez
2012-12-30 00:48:42 UTC
Permalink
Post by t***@gmx.de
Hello Mailinglist,
please excuse my bad english - but I am not a native speaker.
Internet --- dyn. IP --- Firewall (shorewall) --- LAN (192.168.X.X)
No I try to connect my iphone (from mobile Internet G3) over VPN
(l2tp/ipsec) with the firewall.
But I canŽt open the necessary Port 1701.
What do you have in your /etc/shorewall/tunnels file?

Regards,

-Roberto
--
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
t***@gmx.de
2012-12-30 09:56:57 UTC
Permalink
What do you have in your /etc/shorewall/tunnels file? Regards, -Roberto
Hello Roberto,

thank you for your message. You are right - first I forgot an entry in
the tunnels file. But now I added a entry. Unfortunately, I get again
now rejectionsagain.

/etc/shorewall/tunnels

# ZONE
openvpnserver:1194 net 0.0.0.0/0
pptpserver vpn1 0.0.0.0/0
pptpserver net 0.0.0.0/0
ipsec net 0.0.0.0/0 vpn2 <--- added line
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/var/log/syslog

Dec 30 10:50:44 router kernel: [263702.821796]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:9e:19:00:00:2d:11:c7:a3:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=40473 PROTO=UDP SPT=61751 DPT=1701 LEN=75
Dec 30 10:50:46 router kernel: [263704.830262]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:b9:60:00:00:2d:11:ac:5c:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=47456 PROTO=UDP SPT=61751 DPT=1701 LEN=75
Dec 30 10:50:50 router kernel: [263708.851385]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:18:5c:00:00:2d:11:4d:61:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=6236 PROTO=UDP SPT=61751 DPT=1701 LEN=75
Dec 30 10:50:54 router kernel: [263712.870372]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:bf:77:00:00:2d:11:a6:45:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=49015 PROTO=UDP SPT=61751 DPT=1701 LEN=75
Dec 30 10:50:58 router kernel: [263716.892744]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:19:48:00:00:2d:11:4c:75:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=6472 PROTO=UDP SPT=61751 DPT=1701 LEN=75
Dec 30 10:51:02 router kernel: [263720.881264]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:d1:ae:00:00:2d:11:94:0e:50:bb:67:48:54:39:1b:64:5c:a4
SRC=80.187.103.72 DST=84.57.27.100 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=53678 PROTO=UDP SPT=61751 DPT=1701 LEN=75
t***@gmx.de
2012-12-31 18:37:11 UTC
Permalink
Hello Mailinglist,

I'm stumped. For three days I tried unsuccessfully to get started with
L2TP/IPSEC with shorewall.

I configured shorewall like the instructiones in
http://www.shorewall.net/IPSEC-2.6.html but it does not run.

I allways get in /var/log/syslog:
...
Dec 31 19:08:31 router kernel: [81080.616087]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:3e:3e:00:00:2d:11:20:cd:50:bb:67:59:54:39:22:05:1b:2e
SRC=80.187.103.89 DST=84.57.34.5 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=15934 PROTO=UDP SPT=62781 DPT=1701 LEN=75
...

Only, if I change the last line of /etc/shorewall/policy for a short
time to:
...
all all ACCEPT info
...

the L2TP/IPSEC tunnel runs.


I would be very happy if someone had an idea how I could get it running.

Thank you!


Tony


I made an easier configuration:

/etc/shorewall/tunnels

###############################################################################
#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:1194 net 0.0.0.0/0
ipsec net 0.0.0.0/0 vpn1
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



----> /etc/shorewall/zones

###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vmn ipv4 <--- subnet for virtual machines
dmz ipv4
ovpn ipv4 <--- openvpn for win-clients - but iPhone doesn´t run with
openvpn
wlan ipv4
vpn1 ipsec <--- ipsec
l2tp ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE


----> /etc/shorewall/hosts
#ZONE HOSTS OPTIONS
vpn1 eth0:0.0.0.0/0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


----> /etc/shorewall/masq

##############################################################################
#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
ppp0 eth0
ppp0 eth2
ppp0 eth3
ppp0 eth4
ppp0 tun0
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE



----> /etc/shorewall/interfaces
###############################################################################
#ZONE INTERFACE BROADCAST OPTIONS
net ppp0 detect
tcpflags,dhcp,routefilter,norfc1918,nosmurfs,logmartians
loc eth0 detect tcpflags,detectnets,nosmurfs
dmz eth2 detect tcpflags,detectnets,nosmurfs
ovpn tun0 detect tcpflags,detectnets,nosmurfs
wlan eth3 detect tcpflags,detectnets,nosmurfs
l2tp ppp1 detect tcpflags,detectnets,nosmurfs
vmn eth4 detect tcpflags,detectnets,nosmurfs
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE



----> /etc/shorewall/policy

###############################################################################
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
#
# Policies for traffic originating from the local LAN (loc)
loc net ACCEPT info
loc vmn ACCEPT info
loc ovpn ACCEPT info
loc dmz REJECT info
loc $FW REJECT info
loc wlan ACCEPT info
loc l2tp ACCEPT info
loc all REJECT info
#
# Policies for traffic originating from the virtual Network of the
Virtual Machines LAN (vmn)
vmn net ACCEPT info
vmn loc ACCEPT info
vmn ovpn ACCEPT info
vmn dmz REJECT info
vmn $FW REJECT info
vmn wlan ACCEPT info
vmn all REJECT info
#
# Policies for traffic originating from the firewall ($FW)
$FW net ACCEPT info
$FW dmz ACCEPT info
$FW loc ACCEPT info
$FW vmn ACCEPT info
$FW wlan ACCEPT info
$FW all ACCEPT info
#
# Policies for traffic originating from the De-Militarized Zone (dmz)
dmz net ACCEPT info
dmz $FW REJECT info
dmz loc REJECT info
dmz vmn REJECT info
dmz wlan REJECT info
dmz all REJECT info
#
# Policies for traffic originating from the Internet zone (net)
net dmz DROP info
net $FW ACCEPT info
net loc DROP info
net vmn DROP info
net wlan DROP info
net all DROP info
#
# Policies für OpenVPN
ovpn net ACCEPT info
ovpn loc ACCEPT info
ovpn vmn ACCEPT info
ovpn wlan ACCEPT info
ovpn dmz REJECT info
ovpn $FW REJECT info
ovpn all REJECT info
#
# Policies für wlan
wlan net ACCEPT info
wlan loc REJECT info
wlan vmn REJECT info
wlan dmz REJECT info
wlan $FW ACCEPT info
wlan ovpn REJECT info
wlan all REJECT info
#
# Policies für l2tp
l2tp loc ACCEPT info
l2tp net ACCEPT info
#
# THE FOLLOWING POLICY MUST BE LAST
all all ACCEPT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE


----> /etc/shorewall/rules

#############################################################################################################
#ACTION SOURCE DEST PROTO DEST
SOURCE ORIGINAL RATE USER/
# PORT
PORT(S) DEST LIMIT GROUP
#
...
# Prevent IPSEC bypass by hosts behind a NAT gateway
L2TP(REJECT) net $FW
REJECT $FW net udp - 1701
# l2tp over the IPsec VPN
ACCEPT vpn1 $FW udp 1701
# webserver that can only be accessed internally
HTTP(ACCEPT) loc $FW
HTTP(ACCEPT) l2tp $FW
HTTPS(ACCEPT) loc $FW
HTTPS(ACCEPT) l2tp $FW
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Tom Eastep
2012-12-31 19:39:45 UTC
Permalink
Post by t***@gmx.de
I configured shorewall like the instructiones in
http://www.shorewall.net/IPSEC-2.6.html but it does not run.
...
Dec 31 19:08:31 router kernel: [81080.616087]
Shorewall:INPUT:REJECT:IN=ppp0 OUT=
MAC=45:00:00:88:3e:3e:00:00:2d:11:20:cd:50:bb:67:59:54:39:22:05:1b:2e
SRC=80.187.103.89 DST=84.57.34.5 LEN=95 TOS=0x00 PREC=0x00 TTL=45
ID=15934 PROTO=UDP SPT=62781 DPT=1701 LEN=75
...
Only, if I change the last line of /etc/shorewall/policy for a short
...
all all ACCEPT info
...
----> /etc/shorewall/hosts
#ZONE HOSTS OPTIONS
vpn1 eth0:0.0.0.0/0
That can't be right -- don't you want ppp0:0.0.0.0/0?
Post by t***@gmx.de
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
----> /etc/shorewall/policy
# Policies for traffic originating from the Internet zone (net)
net dmz DROP info
net $FW ACCEPT info
That's a horrible idea....

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
t***@gmx.de
2013-01-01 02:18:20 UTC
Permalink
Post by t***@gmx.de
----> /etc/shorewall/hosts
#ZONE HOSTS OPTIONS
vpn1 eth0:0.0.0.0/0
That can't be right -- don't you want ppp0:0.0.0.0/0?
Thank you for this great tip. Now l2tp/ipec gets a connect.
Post by t***@gmx.de
Post by t***@gmx.de
----> /etc/shorewall/policy
# Policies for traffic originating from the Internet zone (net)
net dmz DROP info
net $FW ACCEPT info
That's a horrible idea....
Thats right. Now I changed the policy to:

net $FW DROP info

But now I get a new problem:

...
Jan 1 02:56:45 router kernel: [ 455.395574]
Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC= SRC=80.187.106.196
DST=84.57.4.128 LEN=140 TOS=0x00 PREC=0x00 TTL=45 ID=43653 PROTO=UDP
SPT=7827 DPT=4500 LEN=120
...

Do you think its sure to solve that with a rule like:

ACCEPT net $FW udp 4500

Thank you!


Tony
t***@gmx.de
2013-01-01 02:49:59 UTC
Permalink
With the above Konfigruation I can reach everything in the local network
(for example, pick up mail, surf the DMZ) but I can not surf the
Internet. The requests are sent, in the syslog is also "Accept."
Unfortunately obvious is no return.

Currently, I have no idea where I could find a mistake here. How can I
find out what happened with the packages?

Thank you!


Tony
Tom Eastep
2013-01-01 15:52:26 UTC
Permalink
Post by t***@gmx.de
With the above Konfigruation I can reach everything in the local network
(for example, pick up mail, surf the DMZ) but I can not surf the
Internet. The requests are sent, in the syslog is also "Accept."
Unfortunately obvious is no return.
Currently, I have no idea where I could find a mistake here. How can I
find out what happened with the packages?
I would get rid of that mess you have in /etc/shorewall/masq and replace
it with one entry:

ppp0 0.0.0.0/0

One reason that we ask for the output of 'shorewall dump' when you
report a connection problem is so that we can see your IP configuration.
You have not provided that information. So if you have a public subnet
routed via ppp0, then the above entry needs to be replaced by:

ppp0 !<public subnet>

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
t***@gmx.de
2013-01-04 21:04:53 UTC
Permalink
Post by Tom Eastep
I would get rid of that mess you have in /etc/shorewall/masq and replace
ppp0 0.0.0.0/0
Hi Tom,

your tips are great. I spent four days on the road and therefore can
only answer today.

Now I added

ppp0 ppp1

the / etc / shorewall / masq , and now it works. I am happy!

A new problem has emerged: After the entry in the /etc/shorewall/masq
shorewall does not work when the device ppp1is not created. If I want to
start shorewall I have to make a VPN connection.

Is there a way to start shorewall with no VPN connection(no ppp1 ipsec
tunnel)?

Thank you!


Tony
Tom Eastep
2013-01-04 21:14:58 UTC
Permalink
Post by t***@gmx.de
Post by Tom Eastep
I would get rid of that mess you have in /etc/shorewall/masq and replace
ppp0 0.0.0.0/0
Hi Tom,
your tips are great. I spent four days on the road and therefore can
only answer today.
Now I added
ppp0 ppp1
the / etc / shorewall / masq , and now it works. I am happy!
A new problem has emerged: After the entry in the /etc/shorewall/masq
shorewall does not work when the device ppp1is not created. If I want to
start shorewall I have to make a VPN connection.
Is there a way to start shorewall with no VPN connection(no ppp1 ipsec
tunnel)?
why don't you just do what I shoed you above?

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Tom Eastep
2013-01-05 15:33:17 UTC
Permalink
Post by t***@gmx.de
Post by t***@gmx.de
A new problem has emerged: After the entry in the /etc/shorewall/masq
shorewall does not work when the device ppp1is not created. If I want to
start shorewall I have to make a VPN connection.
Is there a way to start shorewall with no VPN connection(no ppp1 ipsec
tunnel)?
why don't you just do what I shoed you above?
-Tom
Hi Tom,
please excuse. I was not sure if I post in the shorewall/dump on the
public list of published data that make my firewall insecure.
Therefore, I send you the shorewall/dump personaly via email. I hope
this is okay.
+-------- eth2 (dmz
webserver)
|
Internet --- (dynamic IP) --- ppp0 ---- eth0 (local network)
|
+-------- eth3 (wlan)
|
+-------- tun0 (open-vpn)
|
+-------- ppp1 (vpn ipsec/l2tp)
This single entry will work:

ppp0 192.168.0.0/16

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Loading...