* Problems with Core 70 and OpenVPN N2N
@ 2013-07-11 18:33 Erik K.
2013-07-11 22:06 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Erik K. @ 2013-07-11 18:33 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1389 bytes --]
Hi all,
have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
The infrastructure:
IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
So both sides with double NAT. The log messages gives me the following back
Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
have never seen this message (in the middle) before...
So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
May some one have an idea what´s causing this problem ?
Greetings
Erik
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N
2013-07-11 18:33 Problems with Core 70 and OpenVPN N2N Erik K.
@ 2013-07-11 22:06 ` Michael Tremer
2013-07-12 9:04 ` Erik K.
0 siblings, 1 reply; 4+ messages in thread
From: Michael Tremer @ 2013-07-11 22:06 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1852 bytes --]
Could you provide the iptables ruleset that is loaded?
This should not be caused by the latest NAT changes in core update 70.
But that's just a wild guess.
-Michael
On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
> Hi all,
> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
>
> The infrastructure:
>
> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
>
> So both sides with double NAT. The log messages gives me the following back
>
> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
> have never seen this message (in the middle) before...
>
> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
>
> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
>
>
> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
>
> May some one have an idea what´s causing this problem ?
>
>
> Greetings
>
>
> Erik
>
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N
2013-07-11 22:06 ` Michael Tremer
@ 2013-07-12 9:04 ` Erik K.
2013-07-12 11:24 ` Michael Tremer
0 siblings, 1 reply; 4+ messages in thread
From: Erik K. @ 2013-07-12 9:04 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 13428 bytes --]
Hi Michael,
here are the ovpn chains
Chain OVPNFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPNINPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:5329
Chain OVPN_BLUE_FORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain OVPN_BLUE_INPUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
ACCEPT all -- anywhere anywhere
and the rest of iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
CUSTOMINPUT all -- anywhere anywhere
GUARDIAN all -- anywhere anywhere
IPTVINPUT all -- anywhere anywhere
GUIINPUT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECINPUT all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT !icmp -- anywhere anywhere state NEW
DHCPBLUEINPUT all -- anywhere anywhere
OVPNINPUT all -- anywhere anywhere
OVPN_BLUE_INPUT all -- anywhere anywhere
OPENSSLPHYSICAL all -- anywhere anywhere
WIRELESSINPUT all -- anywhere anywhere state NEW
REDINPUT all -- anywhere anywhere
XTACCESS all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT "
DROP all -- anywhere anywhere /* DROP_INPUT */
Chain FORWARD (policy DROP)
target prot opt source destination
BADTCP all -- anywhere anywhere
TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
GUARDIAN all -- anywhere anywhere
CUSTOMFORWARD all -- anywhere anywhere
IPTVFORWARD all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
IPSECFORWARD all -- anywhere anywhere
OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */
OUTGOINGFWMAC all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW
DROP all -- 127.0.0.0/8 anywhere state NEW
OVPNFORWARD all -- anywhere anywhere
OVPN_BLUE_FORWARD all -- anywhere anywhere
DROP all -- anywhere 127.0.0.0/8 state NEW
ACCEPT all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state NEW
WIRELESSFORWARD all -- anywhere anywhere state NEW
REDFORWARD all -- anywhere anywhere
DMZHOLES all -- anywhere anywhere state NEW
PORTFWACCESS all -- anywhere anywhere state NEW
UPNPFW all -- anywhere anywhere state NEW
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT "
DROP all -- anywhere anywhere /* DROP_OUTPUT */
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
CUSTOMOUTPUT all -- anywhere anywhere
OUTGOINGFW all -- anywhere anywhere
IPSECOUTPUT all -- anywhere anywhere
Chain BADTCP (2 references)
target prot opt source destination
RETURN all -- anywhere anywhere
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN
PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN
NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
Chain CUSTOMFORWARD (1 references)
target prot opt source destination
ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
Chain CUSTOMINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp
ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable
ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
DROP all -- anywhere 192.168.220.255
DROP all -- anywhere all-systems.mcast.net
DROP all -- anywhere 192.168.2.255
Chain CUSTOMOUTPUT (1 references)
target prot opt source destination
Chain DHCPBLUEINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
Chain DMZHOLES (2 references)
target prot opt source destination
Chain GUARDIAN (2 references)
target prot opt source destination
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain IPSECFORWARD (1 references)
target prot opt source destination
Chain IPSECINPUT (1 references)
target prot opt source destination
Chain IPSECOUTPUT (1 references)
target prot opt source destination
Chain IPTVFORWARD (1 references)
target prot opt source destination
Chain IPTVINPUT (1 references)
target prot opt source destination
Chain LOG_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
DROP all -- anywhere anywhere
Chain LOG_REJECT (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */
Chain OPENSSLPHYSICAL (1 references)
target prot opt source destination
Chain OPENSSLVIRTUAL (2 references)
target prot opt source destination
Chain OUTGOINGFW (1 references)
target prot opt source destination
Chain OUTGOINGFWMAC (1 references)
target prot opt source destination
Chain PORTFWACCESS (1 references)
target prot opt source destination
Chain PSCAN (5 references)
target prot opt source destination
LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
DROP all -- anywhere anywhere /* DROP_PScan */
Chain REDFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain REDINPUT (1 references)
target prot opt source destination
Chain UPNPFW (1 references)
target prot opt source destination
Chain WIRELESSFORWARD (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward"
DROP all -- anywhere anywhere /* DROP_Wirelessforward */
Chain WIRELESSINPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput"
DROP all -- anywhere anywhere /* DROP_Wirelessinput */
Chain XTACCESS (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident
Erik
Am 12.07.2013 um 00:06 schrieb Michael Tremer:
> Could you provide the iptables ruleset that is loaded?
>
> This should not be caused by the latest NAT changes in core update 70.
> But that's just a wild guess.
>
> -Michael
>
> On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
>> Hi all,
>> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
>>
>> The infrastructure:
>>
>> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
>>
>> So both sides with double NAT. The log messages gives me the following back
>>
>> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
>> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
>> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
>> have never seen this message (in the middle) before...
>>
>> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
>>
>> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
>> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
>> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
>>
>>
>> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
>>
>> May some one have an idea what´s causing this problem ?
>>
>>
>> Greetings
>>
>>
>> Erik
>>
>>
>> _______________________________________________
>> Development mailing list
>> Development(a)lists.ipfire.org
>> http://lists.ipfire.org/mailman/listinfo/development
>
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Problems with Core 70 and OpenVPN N2N
2013-07-12 9:04 ` Erik K.
@ 2013-07-12 11:24 ` Michael Tremer
0 siblings, 0 replies; 4+ messages in thread
From: Michael Tremer @ 2013-07-12 11:24 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 14207 bytes --]
See? Firewall rules are fine.
On Fri, 2013-07-12 at 11:04 +0200, Erik K. wrote:
> Hi Michael,
> here are the ovpn chains
>
> Chain OVPNFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OVPNINPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
> ACCEPT all -- anywhere anywhere
> ACCEPT udp -- anywhere anywhere udp dpt:5329
>
> Chain OVPN_BLUE_FORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain OVPN_BLUE_INPUT (1 references)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:carrius-rshell
> ACCEPT all -- anywhere anywhere
>
> and the rest of iptables -L
>
> Chain INPUT (policy DROP)
> target prot opt source destination
> BADTCP all -- anywhere anywhere
> CUSTOMINPUT all -- anywhere anywhere
> GUARDIAN all -- anywhere anywhere
> IPTVINPUT all -- anywhere anywhere
> GUIINPUT all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> IPSECINPUT all -- anywhere anywhere
> OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL INPUT */
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- 127.0.0.0/8 anywhere state NEW
> DROP all -- anywhere 127.0.0.0/8 state NEW
> ACCEPT !icmp -- anywhere anywhere state NEW
> DHCPBLUEINPUT all -- anywhere anywhere
> OVPNINPUT all -- anywhere anywhere
> OVPN_BLUE_INPUT all -- anywhere anywhere
> OPENSSLPHYSICAL all -- anywhere anywhere
> WIRELESSINPUT all -- anywhere anywhere state NEW
> REDINPUT all -- anywhere anywhere
> XTACCESS all -- anywhere anywhere state NEW
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_INPUT "
> DROP all -- anywhere anywhere /* DROP_INPUT */
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> BADTCP all -- anywhere anywhere
> TCPMSS tcp -- anywhere anywhere tcpflags: SYN,RST/SYN TCPMSS clamp to PMTU
> GUARDIAN all -- anywhere anywhere
> CUSTOMFORWARD all -- anywhere anywhere
> IPTVFORWARD all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
> IPSECFORWARD all -- anywhere anywhere
> OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSLVIRTUAL FORWARD */
> OUTGOINGFWMAC all -- anywhere anywhere
> ACCEPT all -- anywhere anywhere state NEW
> DROP all -- 127.0.0.0/8 anywhere state NEW
> OVPNFORWARD all -- anywhere anywhere
> OVPN_BLUE_FORWARD all -- anywhere anywhere
> DROP all -- anywhere 127.0.0.0/8 state NEW
> ACCEPT all -- anywhere anywhere state NEW
> ACCEPT all -- anywhere anywhere state NEW
> WIRELESSFORWARD all -- anywhere anywhere state NEW
> REDFORWARD all -- anywhere anywhere
> DMZHOLES all -- anywhere anywhere state NEW
> PORTFWACCESS all -- anywhere anywhere state NEW
> UPNPFW all -- anywhere anywhere state NEW
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_OUTPUT "
> DROP all -- anywhere anywhere /* DROP_OUTPUT */
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> CUSTOMOUTPUT all -- anywhere anywhere
> OUTGOINGFW all -- anywhere anywhere
> IPSECOUTPUT all -- anywhere anywhere
>
> Chain BADTCP (2 references)
> target prot opt source destination
> RETURN all -- anywhere anywhere
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN
> PSCAN tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
> PSCAN tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN
> NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
>
> Chain CUSTOMFORWARD (1 references)
> target prot opt source destination
> ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
>
> Chain CUSTOMINPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp
> ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp
> REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp reject-with icmp-port-unreachable
> ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn
> DROP all -- anywhere 192.168.220.255
> DROP all -- anywhere all-systems.mcast.net
> DROP all -- anywhere 192.168.2.255
>
> Chain CUSTOMOUTPUT (1 references)
> target prot opt source destination
>
> Chain DHCPBLUEINPUT (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere anywhere tcp spt:bootpc dpt:bootps
> ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
>
> Chain DMZHOLES (2 references)
> target prot opt source destination
>
> Chain GUARDIAN (2 references)
> target prot opt source destination
>
> Chain GUIINPUT (1 references)
> target prot opt source destination
> ACCEPT icmp -- anywhere anywhere icmp echo-request
>
> Chain IPSECFORWARD (1 references)
> target prot opt source destination
>
> Chain IPSECINPUT (1 references)
> target prot opt source destination
>
> Chain IPSECOUTPUT (1 references)
> target prot opt source destination
>
> Chain IPTVFORWARD (1 references)
> target prot opt source destination
>
> Chain IPTVINPUT (1 references)
> target prot opt source destination
>
> Chain LOG_DROP (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
> DROP all -- anywhere anywhere
>
> Chain LOG_REJECT (0 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning
> REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
>
> Chain NEWNOTSYN (1 references)
> target prot opt source destination
> LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix "DROP_NEWNOTSYN "
> DROP all -- anywhere anywhere /* DROP_NEWNOTSYN */
>
> Chain OPENSSLPHYSICAL (1 references)
> target prot opt source destination
>
> Chain OPENSSLVIRTUAL (2 references)
> target prot opt source destination
>
> Chain OUTGOINGFW (1 references)
> target prot opt source destination
>
> Chain OUTGOINGFWMAC (1 references)
> target prot opt source destination
>
>
> Chain PORTFWACCESS (1 references)
> target prot opt source destination
>
> Chain PSCAN (5 references)
> target prot opt source destination
> LOG tcp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan "
> LOG udp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan "
> LOG icmp -- anywhere anywhere limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan "
> LOG all -f anywhere anywhere limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan "
> DROP all -- anywhere anywhere /* DROP_PScan */
>
> Chain REDFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
>
> Chain REDINPUT (1 references)
> target prot opt source destination
>
> Chain UPNPFW (1 references)
> target prot opt source destination
>
> Chain WIRELESSFORWARD (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessforward"
> DROP all -- anywhere anywhere /* DROP_Wirelessforward */
>
> Chain WIRELESSINPUT (1 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD:C9:8B
> LOG all -- anywhere anywhere LOG level warning prefix "DROP_Wirelessinput"
> DROP all -- anywhere anywhere /* DROP_Wirelessinput */
>
> Chain XTACCESS (1 references)
> target prot opt source destination
> ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident
>
>
> Erik
>
>
> Am 12.07.2013 um 00:06 schrieb Michael Tremer:
>
> > Could you provide the iptables ruleset that is loaded?
> >
> > This should not be caused by the latest NAT changes in core update 70.
> > But that's just a wild guess.
> >
> > -Michael
> >
> > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote:
> >> Hi all,
> >> have tried today Core 70 and OpenVPN N2N and i have had problems to establish the connection.
> >>
> >> The infrastructure:
> >>
> >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (local) IPFire
> >>
> >> So both sides with double NAT. The log messages gives me the following back
> >>
> >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329
> >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server->server connection attempted from 192.168.20.2:5329
> >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system call (code=4)
> >> have never seen this message (in the middle) before...
> >>
> >> So i looked to the configuration file on the TLS-client where the "Remote Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the remote IP (in versions before Core 70 this was not necessary) and the following log output was stated.
> >>
> >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=V4): '9e986809'
> >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.xx:5329
> >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-restart), restarting
> >>
> >>
> >> Looks like a closed firewall. Portforwarding from both upstream routers to IPFire was made, outgoing FW was in mode 0 .
> >>
> >> May some one have an idea what´s causing this problem ?
> >>
> >>
> >> Greetings
> >>
> >>
> >> Erik
> >>
> >>
> >> _______________________________________________
> >> Development mailing list
> >> Development(a)lists.ipfire.org
> >> http://lists.ipfire.org/mailman/listinfo/development
> >
> >
> > _______________________________________________
> > Development mailing list
> > Development(a)lists.ipfire.org
> > http://lists.ipfire.org/mailman/listinfo/development
>
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-07-12 11:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-07-11 18:33 Problems with Core 70 and OpenVPN N2N Erik K.
2013-07-11 22:06 ` Michael Tremer
2013-07-12 9:04 ` Erik K.
2013-07-12 11:24 ` Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox