The rules error 91
?COMMENT RULE#10
{source:ovpn,ivpn, dest:any, time:-, action:NFQBY:none}
I have my firewall objects setup
cidr subnets setup
home - 172.16.0.0/24
work - 192.168.0.0/24
Zone are setup
home - enp5s4 - 172.16.0.231/31
work - enp64s0 - 192.168.0.0/24
Again the VPN is up but the firewall logs show its blocking any traffic to the vpn. Cannot even ping from nethserver through the tunnel. Again when I try to allow the traffic via the firewall rules I get the error
ERROR: Unknown source zone (ovpn) /etc/shorewall/rules (line 91)
The rules error 91
?COMMENT RULE#10
{source:ovpn,ivpn, dest:any, time:-, action:NFQBY:none}
The only thing I have not done is setup a bond or bridge… Which maybe thats the problem? Im not sure?? Any help on fixing this issue is great.
What would you like to know? Open VPN will not work for this VPN. This is designed around being a site to site vpn to a corp firewall. Big picture it will replace the existing corp firewall. But 1st I need to make sure NethServer can handle having Site to Site VPN’s running using IpSec tunnels.
So today I blanked it out and started over – No errors this time BUT no matter how much I open up the firewall cannot get to the VPN tunnel. The firewall blocks everything that send to and from the VPN tunnel. Yeah I given NethServer A plus for home firewall, but a far cry for a corporate firewall. No excuse if the firewall is wide open everything should pass through. I’ve even gone as far to reach out to your sales team to purchase and maybe a phone call. Got nothing but a canned responses and zero help even when I was willing to pay. Anyway hats off to the dev team Anyway hats off to the dev team for the effort. Strongly suggest only include what you all can truly support.
Whoa… What a whine after 48 hours of waiting… and during weekend.
Anyway…
i’m using IPSec between NethServer and a NetGear ADSL Router, without… any issue.
IpsecTunnel setting
And these are the Trusted networks created automatically by the modifications i made on the NethServer Configuration.
I highlighted the one created by this tunnel.
No other rules are created on firewall section for using IPSec tunnel.
Have you something similar in your setup?
Also: from the remote side of your VPN connection is allowed/known the remote subnet you are using?
Sorry all — I was just really frustrated on my last post.
So this is what I see in my logs when trying to ping across the ipsec tunnel:
Jun 24 11:21:37 hd kernel: Shorewall:INPUT:REJECT:IN=enp5s4 OUT= MAC=00:0e:0c:5a:e1:88:10:13:31:44:02:93:08:00 SRC=192.168.0.38 DST=172.16.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=8778 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7 Jun 24 11:21:37 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.38 LEN=88 TOS=0x00 PREC=0xC0 TTL=64 ID=41020 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.0.38 DST=172.16.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=8778 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=7 ]
So I can confirm the tunnel is up but for what ever reason I cannot access anything from one end of the tunnel or the other end. I suspect the shorewall firewall is blocking it based on the above log file at the top of post.
Also I noted in the network 192.168.0.0/24 & 172.16.0.0/31 — Do they have to match like this 192.168.0.0/24 & 172.16.0.0/24 ? Would this solve the problem ?
I did switch it over to /24 and shorewall continues to block all traffic from the ipsec tunnel.
172.16 etc is my local network
192.168 is a network in my office 52 miles away.
Another thought I had is - Im not running bridged mode on my isp modem. But the logs keep showing its shorewall blocking the traffic.
On the router @ 192.168 – Ran a trace and again the packets are being blocked by shorewall. The tunnel is up but shorewall will not let any data through.
Shorewall firewall log showing its blocking the data.
Jun 24 23:44:51 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=28825 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=1 Jun 24 23:44:52 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29495 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=2 Jun 24 23:44:53 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30414 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=3 Jun 24 23:44:54 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30768 DF PROTO=ICMP TYPE=8 CODE=0 ID=3541 SEQ=4 Jun 24 23:45:29 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=28416 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=1 Jun 24 23:45:30 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29284 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=2 Jun 24 23:45:31 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29612 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=3 Jun 24 23:45:32 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=29710 DF PROTO=ICMP TYPE=8 CODE=0 ID=3591 SEQ=4 Jun 24 23:45:36 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32207 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=1 Jun 24 23:45:37 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32294 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=2 Jun 24 23:45:38 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=32701 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=3 Jun 24 23:45:39 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=33682 DF PROTO=ICMP TYPE=8 CODE=0 ID=3598 SEQ=4 Jun 24 23:45:52 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.3 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=38080 PROTO=ICMP TYPE=8 CODE=0 ID=3617 SEQ=1 Jun 24 23:46:05 hd kernel: Shorewall:OUTPUT:REJECT:IN= OUT=enp5s4 SRC=172.16.0.3 DST=192.168.0.5 LEN=60 TOS=0x00 PREC=0x00 TTL=1 ID=15354 PROTO=ICMP TYPE=8 CODE=0 ID=3634 SEQ=1
Because my office location uses 192.168 & 10.10 … I switched my home network over to 172.16 so my existing tunkeyopenvpn server could connect & I wouldn’t have any problems accessing files etc. Once I have the ipsec tunnel up my plan is to turn off the turnkeyopenvpn server. Make sense?
Hello!
Well good news it seems to be working but one issue still remains. Wondering what I need to do to resolve this part…
I think I finally got it-- So I was look at your settings above and noticed your red zone is 172.20 … Which is no where to close to your green which is 172.30 …
Mines is 172.16 for my red and my green… Which may explain why only the ipsec tunnel only works from one side and not the other. Anyway I will give this new setting a try and let you know what happens.
Thanks again for all your help, I do appreciate it.