Re: [Shorewall-users] martian source through VPN

Sat, 26 Jan 2019 11:47:57 -0800 

Hi,

On Mon, Jan 21, 2019 at 12:02 PM Tom Eastep <teas...@shorewall.net> wrote:
>
> On 1/21/19 6:36 AM, Alex wrote:
> > Hi,
> >
> > I have a fedora29 system with shorewall-5.2.0.4 and trying to add road
> > warriors through the VPN from a similar system with fedora29 and
> > shorewall-5.2.0.4 with a dynamic IP.
> >
> > [159401.601943] IPv4: martian source 192.168.1.2 from 192.168.6.1, on dev 
> > br0
> > [159401.601959] ll header: 00000000: 0c c4 7a a9 18 de a4 15 88 a9 30
> > b7 08 00        ..z.......0...
> >
> > I've set up 192.168.1.0/24 and 192.168.6.0/24 in the vpn zone in hosts.
> >
> > I'm not sure which config settings to include here in the message
> > body, so thought I would include "shorewall dump" for both systems.
> > I'm hoping someone can help me identify the issue.
>
> The problem is that eth1 is associated with 192.168.6.0/24, but a packet
> with source IP 192.168.6.1 is being received through br0. On the VPN
> client, the loopback interface has been assigned that IP address with is
> a duplicate of the IP address of eth1 on the server.

I think I've fixed the martian problem, but I still can't reach one
side of the VPN from the other and vice-versa.

Just to summarize from a few days ago:

192.168.11.0/24 -- <VPN1> -- <VPN2> -- 192.168.1.0/24

VPN1 is a dynamic IP (currently 68.192.251.223) with a freedns
hostname. VPN2 has a static IP (68.199.193.42). I'd like to be able to
reach hosts on either side, as well as the VPN hosts themselves.

Currently it doesn't appear that I can reach any host from any other
host at all.

# ip xfrm state
src 68.192.251.223 dst 68.199.193.42
        proto esp spi 0x48acc1b4 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0xeac1161d7b63ede8196f2b9dc0ea1e92651bc96327510ac639304518de77c9cad19d1f5e
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.199.193.42 dst 68.192.251.223
        proto esp spi 0x3c181644 reqid 16389 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0x782c8e171067c513c946db43552088b1ecdd2c3220d87caa44148921cbfa489b2ab901f7
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.192.251.223 dst 68.199.193.42
        proto esp spi 0xe3b59a4d reqid 16397 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0xf0f2997d920d647ebdd1b87c1fccd67ef61085e42239ccf8a353d36bbcdf6ac5b0ef7fc3
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 68.199.193.42 dst 68.192.251.223
        proto esp spi 0x8b393d98 reqid 16397 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes))
0xbf6e5c7c8d1800356ee74136db9541520a284c0d0ea05f4163425c14c7cbf14045b369ff
128
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

# ip xfrm policy
src 192.168.1.0/24 dst 192.168.11.0/24
        dir out priority 1042407 ptype main
        tmpl src 68.199.193.42 dst 68.192.251.223
                proto esp reqid 16389 mode tunnel
src 192.168.11.0/24 dst 192.168.1.0/24
        dir fwd priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.199.193.42
                proto esp reqid 16389 mode tunnel
src 192.168.11.0/24 dst 192.168.1.0/24
        dir in priority 1042407 ptype main
        tmpl src 68.192.251.223 dst 68.199.193.42
                proto esp reqid 16389 mode tunnel
src 68.199.193.40/29 dst 192.168.11.0/24
        dir out priority 1041127 ptype main
        tmpl src 68.199.193.42 dst 68.192.251.223
                proto esp reqid 16397 mode tunnel
src 192.168.11.0/24 dst 68.199.193.40/29
        dir fwd priority 1041127 ptype main
        tmpl src 68.192.251.223 dst 68.199.193.42
                proto esp reqid 16397 mode tunnel
src 192.168.11.0/24 dst 68.199.193.40/29
        dir in priority 1041127 ptype main
        tmpl src 68.192.251.223 dst 68.199.193.42
                proto esp reqid 16397 mode tunnel
src 68.199.193.40/29 dst 192.168.10.0/24
        dir out priority 1041127 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 192.168.1.0/24 dst 192.168.10.0/24
        dir out priority 1042407 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport

It looks like the VPNs are all built correctly. Should the shorewall
hosts contain all the networks involved with the VPN on the vpn zone
line? I'm also unsure how to configure hosts on the side with the
dynamic IP:

vpn             enp4s0: ipsec
vpn             enp2s0:192.168.11.0/24 ipsec

I hoped you could review my "shorewall dump" output and help me figure
out why it's not working.
https://pastebin.com/K39DNDEj


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to