[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSEFirewall2, IPSec -> SuSE-FW-UNALLOWED-TARGETIN



Hello,

I've a little problem with denied packets if I use 
SuSEfirewall2 for protecting the VPN-Gateway.
I get messages like this if I ping (or try to get a other
connection like ssh) to a System in the 
internal Network through the ipsec tunnel:

Oct 20 20:13:16 gigant kernel: SuSE-FW-UNALLOWED-TARGETIN=ipsec0 
OUT= MAC=00:05:5d:0a:93:00:00:09:5b:24:3e:67:08:00 SRC=192.168.2.2 
DST=192.168.1.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 
DF PROTO=ICMP TYPE=8 CODE=0 ID=25665 SEQ=1280

192.168.1.0/24 is the internal network which should be accessed 
from the Roadwarriors through ipsec from all other networks
(in this test-case the roadwarrior is 192.168.2.2).

My SuSEfirewall2 setup :

FW_DEV_INT="eth0"        # 192.168.1.0/24
FW_DEV_DMZ="eth1 ipsec0"  # 192.168.2.0/24
FW_ROUTE="yes"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"

FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP="500"
FW_SERVICES_DMZ_IP="50 51"
FW_FORWARD="192.168.1.0/24,192.168.2.0/24 192.168.2.0/24,192.168.1.0/24"      

Without the firewall all works fine. Can someone see my mistakes ? 

With the iptables-rules I can
start the ipsec-tunnel and I can ping the IP (192.168.2.1) of the 
ipsec-Gateway. And all what I see are ESP-packets on the wire ..
so I think the tunnel is ok.

thanks a lot,
 -mael

-- 
email: mael@xxxxxxxxxxxxx -> www: http://www.m-ellinger.de
GPG-Key: http://www.m-ellinger.de/output/mael.gpg
Mitglied der Zwickau Linux User Group zLUG e.V.
http://www.zlug.org


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here