Topic: IPSEC pass thru support

[richard]

Can you tell me if the current version of internet gateway supports IPSEC pass thru. In short, I can use 1 IPSEC compatible client behind this firewall and connect to an external IPSEC gateway (non-e-smith) I know that there is an issue with IPSEC and masquarading, so I would imagine the answer is not but any information would be greatly appreciated.

Thanks

[Patrick C.]

I would love to know this as well. I have the same issue, I need to connect through the E-Smith server to a remote VPN server. Anyone have ideas? Anyone? Thanks.

[Ritchie Logan]

Here's what I had to do to get IPSEC going. The E-Smith folks nearly got IPSEC running out of the box, just need the addition of UDP 500 pass through. I've adapted some code that was posted earlier on how to either block or pass through port 80.... so apologies to the original author for my blatant pilfering!!

Do all the following and you should find yourself able to connect to an IPSEC server through the E-Smith box.

All lines beginning with ">" are command lines copy and past these.

Create the new template directories
>mkdir -p /etc/e-smith/templates-custom/etc
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d
>mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d

Copy the existing templetes to the custom area
>cp -rp /etc/e-smith/templates/etc/rc.d/init.d/masq /etc/e-smith/templates-custom/etc/rc.d/init.d/

change to the custom directory
>cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq

Edit the file 45AllowIPSecMasq, and add the following line below the existing similar one (for the port 50 IP6CRYPT)
ipchains -I input -j ACCEPT -p udp -s 0/0 500

Expand the templates
>/sbin/e-smith/expand-template /etc/rc.d/init.d/masq

Tell e-smith to update the live config.
>/sbin/e-smith/signal-event remoteaccess-update

You don't even need to re-boot.... just try to connect from your client.

Let me know how you get on.

Ritchie

[Patrick C.]

Ritchie is the MAN!   Your solution worked perfect! Thanks so much!

[trevor]

Thanks.

It worked fine for me too. Made life very easy..

Trevor B

[Steve Leeke]

What is the equivalent to this for e-smith v4.0 (RH 6.1 base)?  This seems to be e-smith v4.1 specific.

[Kevin Brouelette]

I tried to put this in the relevent thread.

I have setup IPSec based on the doc's posted my Christopher Worthington,
and I'm having problems connecting the 2 gateways.

Here's the relevent text from 'ipsec'barf':


Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": prepare-client output: /usr/local/lib/ipsec/_updown: parameters unexpected
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": prepare-client command exited with status 2
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": route-client output: /usr/local/lib/ipsec/_updown: parameters unexpected
Jul 16 07:33:05 gateway Pluto[3059]: "net.192.168.44.0-net.local": route-client command exited with status 2



I get this type of error on both gateways.
Thanks

Kevin

[Nick Orphan]

What do I do if I have no file 45AllowIPSecMasq in my masq directory, after doing the copy?

[Ritchie Logan]

Are you running E-Smith 4.1.2??

If not, then I think you'll need to upgrade.

Ritchie

[Brian Dall]

THANK YOU for the detailed instructions!  They worked for me.

Any security issues I should be aware of with the opening of this additional port?  

I know the IP addresses of the remote VPN servers.  Can I limit the opening of the ports to only those servers?

This gets a bit complicated with the Masq and everything else involved, and I THINK I understand what the changes did, but I'm not confident enough to risk tweaking it on my own.

-Brian

[DJ_Ramjet99]

Hi,

Is is possible for someone to post a screen dump of this file as no matter how I try entering the additional line, the template will not expand (missing operator errors, barewords etc) so suspect my syntax is wrong and I would love to get this humming.

[Arend]

I had those same errors initially.  I went back through the steps and noticed that I had placed the ipchains line in the 45AllowIPSecMasq file after a line that just had HERE in it.  I moved it above this line and the errors went away and vpn started working properly!

[[-TS-]Master_X]

Hi

I'm a newbie in Linux and I had to open udp port 9110 and found your tutorial. It works graet and i laernd more out of your tut then on a other way.

Thanks thanks

[Steve Leeke]

I'm running SonicWall's VPN client from PCs inside my e-smith LAN, connecting back to the office.

IPSec pass through works fine, but I've noticed that only one VPN client inside can work at a time - and to switch clients I've got to reboot the e-smith server!

Does anyone have an idea of what might be causing this?

Thanks,

Steve

[Simon Vetterli]

Hi Ritchie

in wich line I have to add

"Edit the file 45AllowIPSecMasq, and add the following line below the existing similar one (for the port 50 IP6CRYPT)

ipchains -I input -j ACCEPT -p udp -s 0/0 500"

And the other lines I leave?

Waiting for an answer.


Simon Vetterli

[Ritchie Logan]

Here is a complete dump of my modified 45AllowIPSecMasq file. Everything between the "CUT HERE" lines. Note the line with "HERE" on it's own. To qualify what I said in the original post, add the extra line IMMEDIATELY BELOW the existing one.

This should sort out DJ Ramjet and Simon.


==============CUT HERE==========================
{
    local %services = ( masq => $masq );

    my $me = "ipsec";

    my $status = db_get_prop(\%services, 'masq', 'status') || "disabled";
    my $loadme = db_get_prop(\%services, 'masq', $me) || "yes";

    if ( ($status eq "enabled") and ($loadme eq "yes") )
    {
        $OUT = <<'HERE';
    # Accept incoming ESP packets
    # Don't bother about AH packets here, as you can't masq them
    /sbin/ipchains --append input -p 50 -s 0/0 -d $OUTERNET -j ACCEPT

    #added by Ritchie 31/05/2001 to allow VPN Client to function
    /sbin/ipchains --append input -p udp -s 0/0 500 -d $OUTERNET 500 -j ACCEPT
HERE
    }
}
==============CUT HERE==========================

[Ritchie Logan]

Brian Dall,

If you know the IP address of the IPSEC server you are connecting to, then it is feasible that you restrict the incoming IP address in the ipchains command. I haven't really looked at the syntax since May, so I've forgotten it precisely but I think you would replace the 0/0 in BOTH ipchains commands in the 45AllowIPSecMasq file with the IP address of your server.

Check the ipchains HOWTO to be sure you get the syntax right - if you really feel the need to do this...... HOWEVER.....

IPSEC VPN clients are inherently secure in that you REQUEST connection from your client, to a specific server. I can't see how the opening of these ports to the outside world would make your machine vulnerable to attack. Anyone care to comment on this???

Has anyone upgraded to V5.00 yet...... I did post a bug report back in May, so I'm wondering whether this has been fixed in the distro??

Cheers

Ritchie

PS sorry for delays, I've moved house recently and my CM has not yet been reconnected.

[Ritchie Logan]

Steve Leeke,

I have had 2 clients behind my firewall connect at the same time with no problems, and no requirement to re-boot at any point. I use the Nortel Extranet Client. Note that these were 2 DIFFERENT clients and users.... my connection, and one of my colleagues. I cannot run 2 concurrent sessions with a single ID from home into the office (ie from 2 different PCs at home), the Nortel Client returns a "Maximum Sessions Reached" error.

Before I switched to E-Smith I was using another server solution, and to achieve VPN connectivity, I used port forwarding rather than masq'ing. The result was that ALL IPSEC traffic (arriving on port 50 and UDP 500 ) was forwarded to a single internal IP address. This meant that only the client running on that IP address was able to connect. One of the major benefits of the E-Smith setup we have here, is that the IPSEC traffic is properly NAT'd and masq'd, meaning that no matter what IP address, or how many clients you have running you should have no problems connecting to a standard setup. Please note that it

As long as you have impemented the setup as above, then I'm afraid I have no idea why you should have these problems.

Ritchie

[Simon Vetterli]

VPN is working now!!

I tried out for long time to work with E-Smith-Server, Version 4.1.2 and now with SME 5 and as client with Windows 95, Windows 98 and Windows 98SE.

With these clients I didn't get any connection over VPN. I think in also in the latest DUN (V1.4, USA/Canada-Version) it's still have some bug's.

Today morning I tried out with Windows ME, without any special downloads.

And it's work fine, OK, I had a very slow connection (19200 bps)...

The settings I used on the clients was:

- One Dial-Up for Internet (eg. over Sunrise/Diax (in Switzerland))
- One Dial-UP for VPN with the follow settings:

  General:

  VPN-Server: IP-adress You see from outside the network
  Microsoft VPN-Adapter

  Security:
  Login-Name/Password as used on the VPN-Server
  Domaine: as used for the LAN, where the VPN-Server is connected

  Logon on Network enabled
  Encryted Password? enabled

If You have any question, please let me know.

Thanks Simon

[Dany]

I'm using 4.1.2 and an external CISCO 3000 with a Client (WIN2K) running behind E-smith.
I've followed the indication (http://forums.contribs.org/index.php?topic=1855.msg6169#msg6169) , I can pass the authentication and it sounds like I'm connected but I can't reach any server (IP address or name).

If I disconnect the E-smith box and hook-up directly this machine to my cable modem... it works so I assume that my client is OK !

Any idea on what to check or enable in order to see something working ?

It's so frustrating to be connected to this VPN and not able to do anything.




PS2: Do not hesitate to copy any response to my email address.

[Doug McCaughan]

As this is an old thread, would the same fix above apply to SME 5.5?

[Doug McCaughan]

ok. I see in 5.5 they've added Ritchie fix.

The VPN seems to establish itself. Windows Remote Desktop Connection (the new Terminal Services client) times out.

Would anyone know if this is related?

Thanks.
Doug