Ipsec Tunnel connected - But the firewall is blocking all traffic to the tunnel

When I tried to allow all traffic from the vpn via the firewall rules I get -
Task completed with errors

Configuring shorewall #30 (exit status 1)
Compiling using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Compiling /etc/shorewall/zones…
Compiling /etc/shorewall/interfaces…
Compiling /etc/shorewall/hosts…
Determining Hosts in Zones…
Locating Action Files…
Compiling /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling /etc/shorewall/snat…
Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/rules…
Compiling /etc/shorewall/action.NFQBY for chain NFQBY…
ERROR: Unknown source zone (ovpn) /etc/shorewall/rules (line 91)

The rules error 91
?COMMENT RULE#10
{source:ovpn,ivpn, dest:any, time:-, action:NFQBY:none}

I have my firewall objects setup
cidr subnets setup
home - 172.16.0.0/24
work - 192.168.0.0/24

Zone are setup
home - enp5s4 - 172.16.0.231/31
work - enp64s0 - 192.168.0.0/24

Again the VPN is up but the firewall logs show its blocking any traffic to the vpn. Cannot even ping from nethserver through the tunnel. Again when I try to allow the traffic via the firewall rules I get the error
ERROR: Unknown source zone (ovpn) /etc/shorewall/rules (line 91)

The rules error 91
?COMMENT RULE#10
{source:ovpn,ivpn, dest:any, time:-, action:NFQBY:none}

The only thing I have not done is setup a bond or bridge… Which maybe thats the problem? Im not sure?? Any help on fixing this issue is great.

No you don’t need to create a bridge.

That’s quite strange. You can workaround with this:

yum install nethserver-openvpn

But without more info on what you’ve done in your machine I can’t point out the cause of the problem.

What would you like to know? Open VPN will not work for this VPN. This is designed around being a site to site vpn to a corp firewall. Big picture it will replace the existing corp firewall. But 1st I need to make sure NethServer can handle having Site to Site VPN’s running using IpSec tunnels.

That’s fine, the package installation was a quick fix to avoid the firewall error.

So today I blanked it out and started over – No errors this time BUT no matter how much I open up the firewall cannot get to the VPN tunnel. The firewall blocks everything that send to and from the VPN tunnel. Yeah I given NethServer A plus for home firewall, but a far cry for a corporate firewall. No excuse if the firewall is wide open everything should pass through. I’ve even gone as far to reach out to your sales team to purchase and maybe a phone call. Got nothing but a canned responses and zero help even when I was willing to pay. Anyway hats off to the dev team Anyway hats off to the dev team for the effort. Strongly suggest only include what you all can truly support.

Whoa… What a whine after 48 hours of waiting… and during weekend.
Anyway…
i’m using IPSec between NethServer and a NetGear ADSL Router, without… any issue.
IpsecTunnel setting
immagine
And these are the Trusted networks created automatically by the modifications i made on the NethServer Configuration.
I highlighted the one created by this tunnel.


No other rules are created on firewall section for using IPSec tunnel.
Have you something similar in your setup?
Also: from the remote side of your VPN connection is allowed/known the remote subnet you are using?

1 Like

Mixed subnet masks?

1 Like

Sorry all — I was just really frustrated on my last post.

So this is what I see in my logs when trying to ping across the ipsec tunnel:
Jun 24 11:21:37 hd kernel: Shorewall:INPUT:REJECT:IN=enp5s4 OUT= MAC=00:0e:0c:5a:e1:88:10:13:31:44:02:93:08:00 SRC=192.168.0.38 DST=172.16.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=8778 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7 Jun 24 11:21:37 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.38 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41020 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.0.38 DST=172.16.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=8778 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7 ]

Here are my settings-

When looking at \etc\shorewall\rules – What concerns is

90dns_blue

?COMMENT reject ipsec-tunnel: bwl
REJECT loc:172.16.0.0/31 net:192.168.0.0/24
?COMMENT

So I can confirm the tunnel is up but for what ever reason I cannot access anything from one end of the tunnel or the other end. I suspect the shorewall firewall is blocking it based on the above log file at the top of post.

Also I noted in the network 192.168.0.0/24 & 172.16.0.0/31 — Do they have to match like this 192.168.0.0/24 & 172.16.0.0/24 ? Would this solve the problem ?

This is my routing table.

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         gateway         0.0.0.0         UG    0      0        0 enp2s0
link-local      0.0.0.0         255.255.0.0     U     1002   0        0 enp2s0
link-local      0.0.0.0         255.255.0.0     U     1003   0        0 enp3s0
link-local      0.0.0.0         255.255.0.0     U     1004   0        0 enp4s5
link-local      0.0.0.0         255.255.0.0     U     1005   0        0 enp4s5.1
172.20.1.0      0.0.0.0         255.255.255.0   U     0      0        0 enp2s0
172.31.3.0      0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
172.31.4.240    172.31.4.242    255.255.255.240 UG    0      0        0 tunrw
172.31.4.242    0.0.0.0         255.255.255.255 UH    0      0        0 tunrw
172.31.110.0    0.0.0.0         255.255.255.0   U     0      0        0 enp2s0
172.31.253.0    0.0.0.0         255.255.255.248 U     0      0        0 enp4s5.1
172.31.254.0    0.0.0.0         255.255.255.0   U     0      0        0 enp4s5

Would you please post yours?
A bug on the interface has been found on OpenVPN subnetting validation

Give us a try using a /24 subnet will help us find another bug on IpSec.

Is one of the subnets used in another network segment on one of two sites?
Also… Zones?
I did not add any zone on my firewall interface.

1 Like

This is my route – the gateway is 172.16.0.1

I did switch it over to /24 and shorewall continues to block all traffic from the ipsec tunnel.

172.16 etc is my local network
192.168 is a network in my office 52 miles away.

Another thought I had is - Im not running bridged mode on my isp modem. But the logs keep showing its shorewall blocking the traffic.

On the router @ 192.168 – Ran a trace and again the packets are being blocked by shorewall. The tunnel is up but shorewall will not let any data through.

Shorewall firewall log showing its blocking the data.
Jun 24 23:44:51 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=28825 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=1 Jun 24 23:44:52 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29495 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=2 Jun 24 23:44:53 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30414 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=3 Jun 24 23:44:54 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30768 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=4 Jun 24 23:45:29 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=28416 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=1 Jun 24 23:45:30 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29284 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=2 Jun 24 23:45:31 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29612 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=3 Jun 24 23:45:32 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29710 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=4 Jun 24 23:45:36 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32207 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=1 Jun 24 23:45:37 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32294 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=2 Jun 24 23:45:38 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32701 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=3 Jun 24 23:45:39 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=33682 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=4 Jun 24 23:45:52 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=38080 PROTO=ICMP TYPE=8 CODE=0 ID=3617 SEQ=1 Jun 24 23:46:05 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=15354 PROTO=ICMP TYPE=8 CODE=0 ID=3634 SEQ=1

Not sure what to do?

You have two interfaces (enp5s4 and enp65s0) on the same subnet… And this should not happen.
My network config.


No interface use the remote network (172.31.110.0/24)
No interface use the same subnet. (all addresses are masked /24)

Ok so then what I need to do is put enps4 172.16 on a subnet like 255.255.254.0 – Then keep my enp65s0 on 255.255.255.0 is this correct?

Also if this is correct can I make these changes from the terminal? Can you tell me what file I need to modify in the terminal?

Yes, you can do changes on terminal but i don’t know how. But before make any changes:
why enp5s4 and enp65s0 are on 172.16.0.0/24?

Because my office location uses 192.168 & 10.10 … I switched my home network over to 172.16 so my existing tunkeyopenvpn server could connect & I wouldn’t have any problems accessing files etc. Once I have the ipsec tunnel up my plan is to turn off the turnkeyopenvpn server. Make sense?

I have access to the web interface now – When I make the change to enps4 to 255.255.254.0… Will my existing workstations etc need to be rebooted?

Hello!
Well good news it seems to be working but one issue still remains. Wondering what I need to do to resolve this part…

I think I finally got it-- So I was look at your settings above and noticed your red zone is 172.20 … Which is no where to close to your green which is 172.30 …

Mines is 172.16 for my red and my green… Which may explain why only the ipsec tunnel only works from one side and not the other. Anyway I will give this new setting a try and let you know what happens.

Thanks again for all your help, I do appreciate it.