[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Problem with IPSec and SuSEfirewall2 SuSE-FW-ILLEGAL-TARGET



Hi,

after weeks of reading FAQ's, guides and everything I found about firewalls
and FreeS/WAN I still have a big problem.

But first I describe what is working and my network setup:

roadwarrior
(a.b.c.d)
    |
internet
    |
(d.e.f.g, static ip, ext. device, eth1, ipsec0)
gateway with SuSE 8.2 and FreeS/WAN
(10.10.11.3, int. device, eth0)
    |
(10.10.11.0/24, int. network)
LAN

IPSec connection between roadwarrior and gateway external device works
without any problem.

But no matter what I try, if I try to ping the gateway's internal device
(10.10.11.3) or the internal network I always get

SuSE-FW-ILLEGAL-TARGET IN=ipsec0 OUT=
MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=xxx.xxx.xxx.x
DST=10.10.11.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=3540 PROTO=ICMP TYPE=8
CODE=0 ID=1280 SEQ=256

*SRC=xxx.xxx.xxx.x is the adress of my roadwarrior

I did set up the Firewall as described in
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES Scenario4:

FW_DEV_EXT="eth1 ipsec0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="10.10.11.0/24"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_FORWARD="a.b.c.d,10.10.11.0/24 10.10.11.0/24,a.b.c.d"

a.b.c.d is the adress of my roadwarrior

I left all other options default for testing the IPSec connections.
Even without routing and masquerading I still get the error above and the
above settings for routing
forwarding and masquerading did not change anything.

I also tried to make a custon updown script to be executed when ipsec0 comes
up, that didn't change
anything too.

If the firewall is disabled I can ping the gateway's internal device
(10.10.11.3) from an external IPSec connection.
With the firewall enabled I can only access the external device of the
gateway - I cannot ping to the internal network.

Any suggestions what I am doing wrong here?
I guess I have to use a custom updown script that allows traffic between the
roadwarrior and the internal network and
is executed each time an IPSec connection comes up.

I tried this script but still had the SuSE-FW-ILLEGAL-TARGET error:

up-client:)
iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -s $PLUTO_PEER_CLIENT -j ACCEPT
        ;;

down-client:)
iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -d $PLUTO_PEER_CLIENT -j ACCEPT
iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK \
        -s $PLUTO_PEER_CLIENT -j ACCEPT
        ;;

I checked the Pluto variables at execution time of the script and
ip-adresses represented by
those were correct.

I appreciate any suggestions, thanks in advance,

R. Peters



-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here