SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002392: Major IPsec problems with EFW 2.3 - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002392Endian FirewallNetwork related (VPN, uplinks)public2009-11-08 16:532010-09-23 15:38
Reportertaurec 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionsuspended 
PlatformOSOS Version
Product Version2.3 
Target VersionFixed in Version 
Summary0002392: Major IPsec problems with EFW 2.3
Description
Setting up IPsec tunnels with 2.3 works like a charm, no issues.
I can ping every host in every direction instantly after the tunnel is up.

Only one VPN traffic rule is in place
=> 1 <ANY> <ANY> <ANY> ALLOW allow ALL

Whats very strange is the point that I can do pings and telnets without any problems, but I cannot use any of the other services.
I tried ssh, smtp, imap, dns, http, http, imaps and VMware.

Nothing works, but if I do a telnet on port 22 I get an answer
=>
####trying telnet to port 22##################################
volker:~ # telnet 192.168.13.11 22
Trying 192.168.13.11...
Connected to 192.168.13.11.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.2
####firewall log on the local site##################################
Nov 8 17:31:49 ruediger ulogd[1431]: VPNFW:ACCEPT:1 IN=br0 OUT=ipsec0 MAC=00:0c:29:89:58:e1:ff:ff:08:00:0c:00 SRC=192. 168.10.11 DST=192.168.13.11 LEN=60 TOS=10 PREC=0x00 TTL=63 ID=11911 DF PROTO=KEY_TCP SPT=48393 DPT=22 SEQ=2276437494 AC K=0 WINDOW=5840 SYN URGP=0
###firewall log on the remote site###################################
Nov 8 17:31:58 wolf ulogd[1057]: VPNFW:ACCEPT:1 IN=ipsec0 OUT=br0 MAC= SRC=192.168.10.11 DST=192.168.13.11 LEN=60 TOS=10 PREC=0x00 TTL=62 ID=11911 DF PROTO=KEY_TCP SPT=48393 DPT=22 SEQ=2276437494 ACK=0 WINDOW=5840 SYN URGP=0
######################################

This looks really good. But if I do a "ssh 192.168.13.11" I get a timeout and nothing happens.
The firewall logs looks the same.

Please let me know if you need any further details!

Kind regards
Taurec
TagsNo tags attached.
Attached Files

- Relationships
child of 0001927confirmed Reports to be checked - collecting ticket 

-  Notes
(0003380)
peter-endian (administrator)
2009-11-25 15:01

are you sure there's not ssh waiting for a reverse dns or ident timeout?
If you can connect using telnet but not with ssh theres little chance that it is fault of the firewall.
(0003521)
vikash (reporter)
2009-12-07 15:36

Hi Taurec, do you have IPS running? I have a similar issue using OpenVPN and even with the VPN firewall switched off, snort is still filtering the VPN traffic.

Ive opened a bug for it here http://bugs.endian.com/view.php?id=2464 [^]

- Issue History
Date Modified Username Field Change
2009-11-08 16:53 taurec New Issue
2009-11-25 15:01 peter-endian Note Added: 0003380
2009-11-25 15:01 peter-endian Status new => feedback
2009-12-07 15:36 vikash Note Added: 0003521
2010-01-21 19:08 peter-endian Relationship added child of 0001927
2010-09-23 15:38 peter-endian Status feedback => closed
2010-09-23 15:38 peter-endian Resolution open => suspended

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker