From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Erik K." To: development@lists.ipfire.org Subject: Re: Problems with Core 70 and OpenVPN N2N Date: Fri, 12 Jul 2013 11:04:08 +0200 Message-ID: In-Reply-To: <1373580399.10320.44.camel@hughes.tremer.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0596606468391076788==" List-Id: --===============0596606468391076788== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, here are the ovpn chains Chain OVPNFORWARD (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 Chain OVPNINPUT (1 references) target prot opt source destination =20 ACCEPT udp -- anywhere anywhere udp dpt:carrius= -rshell ACCEPT all -- anywhere anywhere =20 ACCEPT udp -- anywhere anywhere udp dpt:5329 Chain OVPN_BLUE_FORWARD (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 Chain OVPN_BLUE_INPUT (1 references) target prot opt source destination =20 ACCEPT udp -- anywhere anywhere udp dpt:carrius= -rshell ACCEPT all -- anywhere anywhere =20 and the rest of iptables -L Chain INPUT (policy DROP) target prot opt source destination =20 BADTCP all -- anywhere anywhere =20 CUSTOMINPUT all -- anywhere anywhere =20 GUARDIAN all -- anywhere anywhere =20 IPTVINPUT all -- anywhere anywhere =20 GUIINPUT all -- anywhere anywhere =20 ACCEPT all -- anywhere anywhere state RELATED,E= STABLISHED IPSECINPUT all -- anywhere anywhere =20 OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSL= VIRTUAL INPUT */ ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT !icmp -- anywhere anywhere state NEW DHCPBLUEINPUT all -- anywhere anywhere =20 OVPNINPUT all -- anywhere anywhere =20 OVPN_BLUE_INPUT all -- anywhere anywhere =20 OPENSSLPHYSICAL all -- anywhere anywhere =20 WIRELESSINPUT all -- anywhere anywhere state NEW REDINPUT all -- anywhere anywhere =20 XTACCESS all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/m= in burst 5 LOG level warning prefix "DROP_INPUT " DROP all -- anywhere anywhere /* DROP_INPUT */ Chain FORWARD (policy DROP) target prot opt source destination =20 BADTCP all -- anywhere anywhere =20 TCPMSS tcp -- anywhere anywhere tcpflags: SYN,R= ST/SYN TCPMSS clamp to PMTU GUARDIAN all -- anywhere anywhere =20 CUSTOMFORWARD all -- anywhere anywhere =20 IPTVFORWARD all -- anywhere anywhere =20 ACCEPT all -- anywhere anywhere state RELATED,E= STABLISHED IPSECFORWARD all -- anywhere anywhere =20 OPENSSLVIRTUAL all -- anywhere anywhere /* OPENSSL= VIRTUAL FORWARD */ OUTGOINGFWMAC all -- anywhere anywhere =20 ACCEPT all -- anywhere anywhere state NEW DROP all -- 127.0.0.0/8 anywhere state NEW OVPNFORWARD all -- anywhere anywhere =20 OVPN_BLUE_FORWARD all -- anywhere anywhere =20 DROP all -- anywhere 127.0.0.0/8 state NEW ACCEPT all -- anywhere anywhere state NEW ACCEPT all -- anywhere anywhere state NEW WIRELESSFORWARD all -- anywhere anywhere state NEW REDFORWARD all -- anywhere anywhere =20 DMZHOLES all -- anywhere anywhere state NEW PORTFWACCESS all -- anywhere anywhere state NEW UPNPFW all -- anywhere anywhere state NEW LOG all -- anywhere anywhere limit: avg 10/m= in burst 5 LOG level warning prefix "DROP_OUTPUT " DROP all -- anywhere anywhere /* DROP_OUTPUT = */ Chain OUTPUT (policy ACCEPT) target prot opt source destination =20 CUSTOMOUTPUT all -- anywhere anywhere =20 OUTGOINGFW all -- anywhere anywhere =20 IPSECOUTPUT all -- anywhere anywhere =20 Chain BADTCP (2 references) target prot opt source destination =20 RETURN all -- anywhere anywhere =20 PSCAN tcp -- anywhere anywhere tcpflags: FIN,S= YN,RST,PSH,ACK,URG/FIN,PSH,URG PSCAN tcp -- anywhere anywhere tcpflags: FIN,S= YN,RST,PSH,ACK,URG/NONE PSCAN tcp -- anywhere anywhere tcpflags: FIN,S= YN,RST,PSH,ACK,URG/FIN PSCAN tcp -- anywhere anywhere tcpflags: SYN,R= ST/SYN,RST PSCAN tcp -- anywhere anywhere tcpflags: FIN,S= YN/FIN,SYN NEWNOTSYN tcp -- anywhere anywhere tcpflags:! FIN,= SYN,RST,ACK/SYN state NEW Chain CUSTOMFORWARD (1 references) target prot opt source destination =20 ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn Chain CUSTOMINPUT (1 references) target prot opt source destination =20 ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.110.3 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 10.1.2.2 ipfire-bbach.local tcp dpt:snpp ACCEPT tcp -- 192.168.75.2 ipfire-bbach.local tcp dpt:snpp REJECT tcp -- anywhere ipfire-bbach.local tcp dpt:snpp re= ject-with icmp-port-unreachable ACCEPT udp -- 10.75.18.0/24 192.168.110.1 udp dpt:openvpn DROP all -- anywhere 192.168.220.255 =20 DROP all -- anywhere all-systems.mcast.net=20 DROP all -- anywhere 192.168.2.255 =20 Chain CUSTOMOUTPUT (1 references) target prot opt source destination =20 Chain DHCPBLUEINPUT (1 references) target prot opt source destination =20 ACCEPT tcp -- anywhere anywhere tcp spt:bootpc = dpt:bootps ACCEPT udp -- anywhere anywhere udp spt:bootpc = dpt:bootps Chain DMZHOLES (2 references) target prot opt source destination =20 Chain GUARDIAN (2 references) target prot opt source destination =20 Chain GUIINPUT (1 references) target prot opt source destination =20 ACCEPT icmp -- anywhere anywhere icmp echo-reque= st Chain IPSECFORWARD (1 references) target prot opt source destination =20 Chain IPSECINPUT (1 references) target prot opt source destination =20 Chain IPSECOUTPUT (1 references) target prot opt source destination =20 Chain IPTVFORWARD (1 references) target prot opt source destination =20 Chain IPTVINPUT (1 references) target prot opt source destination =20 Chain LOG_DROP (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere limit: avg 10/m= in burst 5 LOG level warning DROP all -- anywhere anywhere =20 Chain LOG_REJECT (0 references) target prot opt source destination =20 LOG all -- anywhere anywhere limit: avg 10/m= in burst 5 LOG level warning REJECT all -- anywhere anywhere reject-with icm= p-port-unreachable Chain NEWNOTSYN (1 references) target prot opt source destination =20 LOG all -- anywhere anywhere limit: avg 10/m= in burst 5 LOG level warning prefix "DROP_NEWNOTSYN " DROP all -- anywhere anywhere /* DROP_NEWNOTS= YN */ Chain OPENSSLPHYSICAL (1 references) target prot opt source destination =20 Chain OPENSSLVIRTUAL (2 references) target prot opt source destination =20 Chain OUTGOINGFW (1 references) target prot opt source destination =20 Chain OUTGOINGFWMAC (1 references) target prot opt source destination =20 =20 Chain PORTFWACCESS (1 references) target prot opt source destination =20 Chain PSCAN (5 references) target prot opt source destination =20 LOG tcp -- anywhere anywhere limit: avg 10/m= in burst 5 /* DROP_TCP PScan */ LOG level warning prefix "DROP_TCP Scan " LOG udp -- anywhere anywhere limit: avg 10/m= in burst 5 /* DROP_UDP PScan */ LOG level warning prefix "DROP_UDP Scan " LOG icmp -- anywhere anywhere limit: avg 10/m= in burst 5 /* DROP_ICMP PScan */ LOG level warning prefix "DROP_ICMP Scan " LOG all -f anywhere anywhere limit: avg 10/m= in burst 5 /* DROP_FRAG PScan */ LOG level warning prefix "DROP_FRAG Scan " DROP all -- anywhere anywhere /* DROP_PScan */ Chain REDFORWARD (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere =20 Chain REDINPUT (1 references) target prot opt source destination =20 Chain UPNPFW (1 references) target prot opt source destination =20 Chain WIRELESSFORWARD (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD= :C9:8B DMZHOLES all -- anywhere anywhere MAC 00:17:F2:CD= :C9:8B LOG all -- anywhere anywhere LOG level warni= ng prefix "DROP_Wirelessforward" DROP all -- anywhere anywhere /* DROP_Wireles= sforward */ Chain WIRELESSINPUT (1 references) target prot opt source destination =20 ACCEPT all -- anywhere anywhere MAC 00:17:F2:CD= :C9:8B LOG all -- anywhere anywhere LOG level warni= ng prefix "DROP_Wirelessinput" DROP all -- anywhere anywhere /* DROP_Wireles= sinput */ Chain XTACCESS (1 references) target prot opt source destination =20 ACCEPT tcp -- anywhere 192.168.2.2 tcp dpt:ident =20 Erik Am 12.07.2013 um 00:06 schrieb Michael Tremer: > Could you provide the iptables ruleset that is loaded? >=20 > This should not be caused by the latest NAT changes in core update 70. > But that's just a wild guess. >=20 > -Michael >=20 > On Thu, 2013-07-11 at 20:33 +0200, Erik K. wrote: >> Hi all, >> have tried today Core 70 and OpenVPN N2N and i have had problems to establ= ish the connection.=20 >>=20 >> The infrastructure: >>=20 >> IPFire (remote) <--> Router <--> [ Internet ] <--> (local) Router <--> (l= ocal) IPFire >>=20 >> So both sides with double NAT. The log messages gives me the following back >>=20 >> Jul 11 18:17:35 ipfire Testn2n[13565]: UDPv4 link remote: 192.168.20.2:5329 >> Jul 11 18:19:09 ipfire Testn2n[13808]: TLS Error: client->client or server= ->server connection attempted from 192.168.20.2:5329 >> Jul 11 18:18:01 ipfire Testn2n[13565]: event_wait : Interrupted system cal= l (code=3D4) >> have never seen this message (in the middle) before... >>=20 >> So i looked to the configuration file on the TLS-client where the "Remote = Host/IP" was stated with the 192.168.20.2 (red0 IP), i changed it then to the= remote IP (in versions before Core 70 this was not necessary) and the follow= ing log output was stated. >>=20 >> Jul 11 20:22:49 ipfire Testn2n[6875]: Expected Remote Options hash (VER=3D= V4): '9e986809' >> Jul 11 20:22:49 ipfire-bbach Testn2n[[6875]: UDPv4 link remote: 172.11.xx.= xx:5329 >> Jul 11 20:23:50 ipfire Testn2n[[6875]: [UNDEF] Inactivity timeout (--ping-= restart), restarting >>=20 >>=20 >> Looks like a closed firewall. Portforwarding from both upstream routers to= IPFire was made, outgoing FW was in mode 0 . >>=20 >> May some one have an idea what=C2=B4s causing this problem ? >>=20 >>=20 >> Greetings=20 >>=20 >>=20 >> Erik >>=20 >>=20 >> _______________________________________________ >> Development mailing list >> Development(a)lists.ipfire.org >> http://lists.ipfire.org/mailman/listinfo/development >=20 >=20 > _______________________________________________ > Development mailing list > Development(a)lists.ipfire.org > http://lists.ipfire.org/mailman/listinfo/development --===============0596606468391076788==--