vpn problem

vpn problem

[Peter Marshall]

Hello everyone.

I am getting the following in my logs (scrolls faster than I can read) when
ever anyone trys to do windows file transfers over my vpn.  The vpn is ipsec
and it is a constant connection between our office and our sister office.
My vpn server is in our dmz between 2 firewalls.  The remote vpnserver is
installed on their internal firewall.  When a client on the remote side goes
to copy a file using windows networking to a server on my side, it works,
however I get the messages below ... Please help.  I am not sure why I am
getting this.  It looks like the reply is getting blocked, however, as my
rules show below, I allow established and related connections.

Nov 16 13:59:16 radium kernel: FORWARD REJECT IN=eth1 OUT=eth0 SRC=x.x.x.33
DST=192.168.200.3 LEN=576 TOS=0x00 PREC=0xC0 TTL=63 ID=12528 PROTO=ICMP
TYPE=3 CODE=4 [SRC=192.168.200.3 DST=192.168.127.15 LEN=1500 TOS=0x00
PREC=0x00 TTL=126 ID=19304 DF PROTO=TCP SPT=445 DPT=1915 WINDOW=64968
RES=0x00 ACK URGP=0 ] MTU=1443

$IPT -A FORWARD -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -p UDP -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -s 192.168.127.0/24 -i eth1 -j vpn-int
$IPT -A vpn-int -d 192.168.200.3 -p tcp --dport 139 -j ACCEPT
        $IPT -A vpn-int -d 192.168.200.3 -p tcp --dport 445 -j ACCEPT
        $IPT -A vpn-int -d 192.168.200.3 -p udp --dport 138 -j ACCEPT
        $IPT -A vpn-int -j LOG --log-prefix " REJECT: vpn-int "
        $IPT -A vpn-int -j REJECT


192.168.127.0/24 is the remote network
192.168.200.0/21 is my local network.
x.x.x.33 is the internet IP of my vpn server.

Thanks for the help,
Peter

Re: vpn problem

[Jason Opperisano]

On Tue, 2004-11-16 at 13:29, Peter Marshall wrote:
> Hello everyone.
> 
> I am getting the following in my logs (scrolls faster than I can read) when
> ever anyone trys to do windows file transfers over my vpn.  The vpn is ipsec
> and it is a constant connection between our office and our sister office.
> My vpn server is in our dmz between 2 firewalls.  The remote vpnserver is
> installed on their internal firewall.  When a client on the remote side goes
> to copy a file using windows networking to a server on my side, it works,
> however I get the messages below ... Please help.  I am not sure why I am
> getting this.  It looks like the reply is getting blocked, however, as my
> rules show below, I allow established and related connections.
> 
> Nov 16 13:59:16 radium kernel: FORWARD REJECT IN=eth1 OUT=eth0 SRC=x.x.x.33
> DST=192.168.200.3 LEN=576 TOS=0x00 PREC=0xC0 TTL=63 ID=12528 PROTO=ICMP
> TYPE=3 CODE=4 [SRC=192.168.200.3 DST=192.168.127.15 LEN=1500 TOS=0x00
> PREC=0x00 TTL=126 ID=19304 DF PROTO=TCP SPT=445 DPT=1915 WINDOW=64968
> RES=0x00 ACK URGP=0 ] MTU=1443

From:  http://www.iana.org/assignments/icmp-parameters

ICMP Type 3 Code 4 == Fragmentation Needed and Don't Fragment was Set

On the remote VPN server either lower the MTU or MSS of packets destined
for your local VPN, or clear the DF bit.  a netfilter example:

  iptables -A FORWARD -p tcp --syn -s 192.168.127.0/24 \
    -d 192.168.200.0/21 -j TCPMSS --set-mss 1400

i picked 1400, as MSS = MTU - 40, and the MTU listed in your log entry
is 1443.

-j

--
"Lisa, Vampires are make-believe, like elves, gremlins, and Eskimos."
	--The Simpsons

RE: vpn problem

[Seferovic Edvin]

Hi,

you are going the right path, but... 

I would set up a VPN gateway ( poptop for example ), and when they connect
they could get a static IP. Based on this static IP it would be easy to
control their access to db, file or some other server or service on your
network. This would be easy to set up if you have not more then 20 users (
IMHO ). This is only an idea and it is probably not the perfect solution ;)

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Nagy Zoltan
Sent: Samstag, 09. April 2005 18:20
To: netfilter@lists.netfilter.org
Subject: vpn problem


hi

i'm think about how can i set up a vpn on our lan,
and make possible that not all systems are reachable by the connected vpn
users
something like that user A have access to our data servers only, but user B
can access the database,firewall servers
i'm thinking about that if the clients can login to the vpn gw server i
could use gid match to put the clients ip in a recent list,
and i can use the recent lists to mark the packets and filter by that ;)
i'm thinking about that i've missed something...and there is a simpler
solution ;)


kirk

vpn problem

[Nagy Zoltan]

hi

i'm think about how can i set up a vpn on our lan,
and make possible that not all systems are reachable by the connected vpn users
something like that user A have access to our data servers only, but user B can access the database,firewall servers
i'm thinking about that if the clients can login to the vpn gw server i could use gid match to put the clients ip in a recent list,
and i can use the recent lists to mark the packets and filter by that ;)
i'm thinking about that i've missed something...and there is a simpler solution ;)


kirk

Re: vpn problem

[root]

On Sat, Apr 09, 2005 at 06:18:39PM +0159, Nagy Zoltan wrote:
> i'm think about how can i set up a vpn on our lan,
> and make possible that not all systems are reachable by the connected vpn 
> users
> something like that user A have access to our data servers only, but user B 
> can access the database,firewall servers
> i'm thinking about that if the clients can login to the vpn gw server i 
> could use gid match to put the clients ip in a recent list,
> and i can use the recent lists to mark the packets and filter by that ;)
> i'm thinking about that i've missed something...and there is a simpler 
> solution ;)

Depends on the vpn technique.
I would just use different openvpn connections with different keys, so
the users cannot use "not their" conections. Then you can easily add
filter rules in the openvpn up-script.