|
|
|
|||||||
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
06-24-2003, 07:55 AM
|
|||
|
|
|||
|
James Carlson <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>... > (E-Mail Removed) (James) writes: > > Sorry, I though it was fairly clear. Normal senario: Company x has > > It must not have been, at least to me ... that description looks quite > different from what appeared before. > > > adsl connection to internet using IPCop as firewall/gateway - all > [...] > > this is the issue: When the Win2K IPsec client manually disconnects > > VPN connection to IPSec firewall, IPSec firewall closes connection, > > then completly drops it's whole connection to the internet, so the > > whole office loses it's connection and one has to go through multiple > > restarts (of adsl modem/ppp link) before bringing back access. > > It sounds like "IPsec firewall" is misconfigured to think that "Win2K > IPsec client" is the sole gateway to the Internet. At a *really* wild > guess (since I *still* can't see those configuration files), I'd > expect that there's a misplaced "defaultrouter" in one of the pppd > configuration files, and that's destroying the default route to the > Internet. There is a bug for the IPcop firewall (the linux firewall/gateway) that says that IPCop loses it's default route to ppp when disconnecting. I should point out that this firewall connects to a static ADSL connection. "Default route points via IPSEC after reconnect When an IPCop box loses it's ppp connection (eg when using a Pulsar ADSL card and the link sync is lost), IPSec is not unloaded by ip-down. When the ADSL link is re- established and the connection is back up, instead of the default route being via ppp0, it is via ipsec0. " http://sourceforge.net/tracker/index...&at id=428516 However I have implemented this and the problem still occurs. What config files would you like? I should remind you that i'm fairly new to linux and don't know where all the configuration files are installed. But are these ok? *********** netstat- nr netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface x.x.x.1 0.0.0.0 255.255.255.255 UH 40 0 0 ppp0 x.x.x.1 0.0.0.0 255.255.255.255 UH 40 0 0 ipsec0 192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 1.1.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 0.0.0.0 x.x.x.1 0.0.0.0 UG 40 0 0 ppp0 ************* ipsec.conf: config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes conn %default keyingtries=0 conn Opipo_office left=x.x.x.x # [static] compress=no leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute type=tunnel authby=secret pfs=yes right=%any rightsubnet= rightnexthop=%defaultroute auto=add *************** ip_down: #!/usr/bin/perl # # SmoothWall CGIs # # This code is distributed under the terms of the GPL # # (c) The SmoothWall Team # # $Id: ip-down,v 1.2.2.9 2003/01/13 09:16:03 riddles Exp $ # require '/var/ipcop/header.pl'; &log("PPP has gone down on $ARGV[0]"); umask 022; my %pppsettings; my %dhcpsettings; # read vars back from file. &readhash("${swroot}/ppp/settings", \%pppsettings); &readhash("${swroot}/dhcp/settings", \%dhcpsettings); unlink "${swroot}/red/active"; system "/etc/rc.d/rc.updatered"; system "/bin/echo -en \a >/dev/console"; sleep 1; system "/bin/echo -en \a >/dev/console"; ****************** ip_up: #!/usr/bin/perl # # SmoothWall CGIs # # This code is distributed under the terms of the GPL # # (c) The SmoothWall Team # # $Id: ip-up,v 1.2.2.14 2003/02/06 15:52:46 riddles Exp $ # require '/var/ipcop/header.pl'; &log("PPP has gone up on $ARGV[0]"); umask 022; my %pppsettings; my %dhcpsettings; # read vars back from file. &readhash("${swroot}/ppp/settings", \%pppsettings); &readhash("${swroot}/dhcp/settings", \%dhcpsettings); if ( ( $pppsettings{'TYPE'} eq 'isdn') && ( $pppsettings{'COMPORT'} eq 'isdn2') && ( $pppsettings{'USEIBOD'} eq 'off') ) { system('/usr/sbin/isdnctrl', 'dial', 'ippp1'); } my $dns = $pppsettings{'DNS'}; my $primarydns = $pppsettings{'DNS1'}; my $secondarydns = $pppsettings{'DNS2'}; if ($dns eq 'Automatic') { if (!($pppsettings{'TYPE'} =~ /^isdn/)) { if (open(FILE, ">${swroot}/red/dns1")) { print FILE $ENV{'DNS1'}; close FILE; } if (open(FILE, ">${swroot}/red/dns2")) { print FILE $ENV{'DNS2'}; close FILE; } } else { if (open(FILE, ">${swroot}/red/dns1")) { print FILE $ENV{'MS_DNS1'}; close FILE; } if (open(FILE, ">${swroot}/red/dns2")) { print FILE $ENV{'MS_DNS2'}; close FILE; } } } else { if (open(FILE, ">${swroot}/red/dns1")) { print FILE $pppsettings{'DNS1'}; close FILE; } if (open(FILE, ">${swroot}/red/dns2")) { print FILE $pppsettings{'DNS2'}; close FILE; } } if (open(FILE, ">${swroot}/red/iface")) { print FILE $ARGV[0]; close (FILE); } if (open(FILE, ">${swroot}/red/local-ipaddress")) { print FILE $ARGV[3]; close (FILE); } if (open(FILE, ">${swroot}/red/remote-ipaddress")) { print FILE $ARGV[4]; close (FILE); } system('/bin/touch', "${swroot}/red/active"); system('/etc/rc.d/rc.updatered'); system "/bin/echo -en '\a' >/dev/console"; **************** rc.updater #!/bin/sh .. /var/ipcop/dhcp/settings .. /var/ipcop/ethernet/settings .. /var/ipcop/ppp/settings IFACE=`/bin/cat /var/ipcop/red/iface 2>/dev/null | /usr/bin/tr -d '\012'` OLDIP=`/bin/cat /var/ipcop/red/local-ipaddress 2>/dev/null | /usr/bin/tr -d '\012'` ### ### Retrieve DHCP Settings ### if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" ]; then if [ "$RED_TYPE" = "DHCP" ]; then unset DNS1 DNS2 . /var/ipcop/ethernet/settings if [ "$DNS1" = "" ]; then echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 1` > /var/ipcop/red/dns1 echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 2` > /var/ipcop/red/dns2 else echo "$DNS1" > /var/ipcop/red/dns1 echo "$DNS2" > /var/ipcop/red/dns2 fi . /etc/dhcpc/dhcpcd-${RED_DEV}.info echo "$IPADDR" > /var/ipcop/red/local-ipaddress echo "$GATEWAY" > /var/ipcop/red/remote-ipaddress fi else if [ "$PROTOCOL" = "RFC1483" -a "$METHOD" = "DHCP" ]; then unset DNS1 DNS2 . /var/ipcop/ppp/settings if [ "$DNS" = "Automatic" ]; then echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 1` > /var/ipcop/red/dns1 echo -n `/etc/rc.d/helper/getdnsfromdhcpc.pl 2` > /var/ipcop/red/dns2 else echo "$DNS1" > /var/ipcop/red/dns1 echo "$DNS2" > /var/ipcop/red/dns2 fi . /etc/dhcpc/dhcpcd-${IFACE}.info echo $IPADDR > /var/ipcop/red/local-ipaddress echo $GATEWAY > /var/ipcop/red/remote-ipaddress fi fi ### ### Retrieve DNS settings ### DNS1=`/bin/cat /var/ipcop/red/dns1 | /usr/bin/tr -d '\012'` DNS2=`/bin/cat /var/ipcop/red/dns2 | /usr/bin/tr -d '\012'` if [ "$DNS1" != "" ]; then if [ "$DNS2" != "" ]; then echo "nameserver $DNS1" > /var/ipcop/red/resolv.conf echo "nameserver $DNS2" >> /var/ipcop/red/resolv.conf else echo "nameserver $DNS1" > /var/ipcop/red/resolv.conf fi else echo > /var/ipcop/red/resolv.conf fi ### ### Restart DNSMASQ ### /usr/bin/killall dnsmasq if [ -e "/var/ipcop/red/dial-on-demand" -a "$DIALONDEMANDDNS" == "on" -a ! -e "/var/ipcop/red/active" ]; then if [ "$DOMAIN_NAME" == "" ]; then /usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases \ -r /var/ipcop/ppp/fake-resolv.conf else /usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases \ -s "$DOMAIN_NAME" -r /var/ipcop/ppp/fake-resolv.conf fi else if [ "$DOMAIN_NAME" == "" ]; then /usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases \ -r /var/ipcop/red/resolv.conf else /usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases \ -s "$DOMAIN_NAME" -r /var/ipcop/red/resolv.conf fi fi # Reset default route to ippp0 for dial on demand if [ -e "/var/ipcop/red/dial-on-demand" -a "$TYPE" == "isdn" -a ! -e "/var/ipcop/red/active" ]; then /sbin/route add default dev ippp0 fi if ( echo $0 | /bin/grep -q dhcp ); then . /etc/dhcpc/dhcpcd-${IFACE}.info if [ "$OLDIP" != "$IPADDR" ]; then /usr/local/bin/setddns.pl unset ENABLED . /var/ipcop/vpn/settings if [ "$ENABLED" == "on" ]; then /etc/rc.d/ipsec restart fi fi else if [ -e "/var/ipcop/red/active" ]; then [ "$IFACE" != "" ] && /sbin/ifconfig $IFACE -multicast /etc/rc.d/rc.firewall reload /usr/local/bin/updatelists.pl & /usr/local/bin/restartsnort /usr/local/bin/setportfw /usr/local/bin/setxtaccess /usr/local/bin/setddns.pl /etc/rc.d/helper/writeipac.pl /etc/rc.d/helper/writemrtg.pl /usr/local/sbin/fetchipac -S unset ENABLED . /var/ipcop/vpn/settings if [ "$ENABLED" == "on" ]; then /etc/rc.d/ipsec restart fi else if [ "$ENABLED" == "on" ]; then /etc/rc.d/ipsec stop fi /etc/rc.d/rc.firewall reload fi fi ********************** > Dial-in links generally should not have "defaultrouter" anywhere in > the configuration, including /etc/ppp/options. Output of /etc/ppp/options: linkname ipcop noauth > > Still missing configuration information for those components ... > > > > Some hints about your configuration might help as well. It's hard to > > > guess at the contents of your configuration files. > > > > Config: One Linux firewall with 3 NICS, not worried about 2 internal > > nics. 1 NIC connected to (red) ADSL Dlink dsl-300 in bridge mode, > > i.e. Linux controls the connection, not the modem to ti ISP. IPCop > > includes - FreeSwan as vpn server. > > None of the above looks like a configuration file. How about this: ***************** /var/ipcop/ppp/settings DIALMODE= DNS=Manual CONCENTRATORNAME= IP= COMPORT= PROFILENAME=xxxxxxxx USERNAME=(E-Mail Removed) LOGINSCRIPT= DTERATE= VALID=yes USEIBOD=off AUTH=pap-or-chap PROTOCOL= TELEPHONE= MAXRETRIES=25 DIALONDEMAND=off PROFILE=1 DIALONDEMANDDNS=off TYPE=pppoe SPEAKER=off VPI= SERVICENAME= TIMEOUT=0 SENDCR=off ENCAP= VCI= DNS1=x.x.x.x AUTOCONNECT=on PHONEBOOK= DNS2=x.x.x.x ROUTERIP= PASSWORD=xxxxxxxx PERSISTENT=on USEDOV=off METHOD= ****************** > > > > > 18:17:34 pppoe Timeout waiting for PADO packets > > > > > > That's another PPPoE problem. In this case, timing out waiting for > > > PADO means that the PPPoE peer doesn't exist, or is ignoring you, or > > > the Ethernet cable is broken. > > > > Part of the disconnection problem above > > If that's really part of the disconnection problem, then there are > bigger problems here. You'll need to debug the machine at the other > end of this connection to find out why it's not bothering to respond > to PADO. So vpn link disconnected... Then this happens... 14:06:57 pppd No response to 3 echo-requests 14:06:57 pppd Serial link appears to be disconnected. 14:07:03 pppd Connection terminated. 14:07:03 pppd Connect time 1055.4 minutes. 14:07:03 pppd Sent 12194796 bytes, received 32547418 bytes. 14:07:03 pppd Using interface ppp0 14:07:03 pppd Connect: ppp0 <--> /dev/ttyp1 14:07:03 pppoe read (asyncReadFromPPP): Input/output error 14:07:03 pppoe Sent PADT 14:07:38 pppoe Timeout waiting for PADO packets 14:07:38 pppd Modem hangup 14:07:38 pppd Connection terminated. 14:07:38 pppd Using interface ppp0 14:07:38 pppd Connect: ppp0 <--> /dev/ttyp0 14:08:24 pppoe Timeout waiting for PADO packets 14:08:24 pppd Modem hangup 14:08:24 pppd Connection terminated. 14:08:24 pppd Using interface ppp0 14:08:24 pppd Connect: ppp0 <--> /dev/ttyp0 14:08:24 pppoe PPP session is 2113 14:08:26 pppd local IP address x.x.x.x 14:08:26 pppd remote IP address x.x.xx. > > > > > 18:19:19 pppoe PPP session is 2035 > > > > 2. Disconnect PPP on firewall GUI or 'rc.red stop' > > > > > > Perhaps the problem is in your tear-down script. > > > > I'm afraid I didn't write it and am relatively new to Linux. This is > > what should happen - the VPN client should informe the VPN server that > > it is closing the connection, the VPN server should close the IPSec > > tunnel (running through ppp) and wait for the next client to connect. > > All through this the ppp connection should stay available. > > It looks like the script doesn't do that at all. It looks to me like > it shuts down PPP. > > > > > Could it be mtu? Or what about tx/rx buffers? A duff adsl modem? > > > > > > Sorry ... none of those explanations appear to be related to the > > > problem. > > > > My thoughts being, as I read on the Internet somewhere, that bad MTU > > sizes can cause VPN tunnels big issues although I can't make the > > Bad MTU sizes cause predictable sorts of problems: certain sites > (those with broken PMTUD, specifically) will be unreachable. Access > to some others will work but perform badly. > > They don't just cause PPP connections to drop or fail to start. > > > connection - perhaps it might be related to the i) modem or ii) Linux > > gateways difficulty when receiving the vpn tunnel close signal. Some > > people reccomend 1400 for PPTP VPN tunnel, 1492 for pppoe, but better > > 1454 for optimal over atm. some say set really small mtu for vpn e.g. > > 576. I don't know the reccommended size for IPSec. > > IPsec doesn't have a recommended MTU. > > For PPPoE, you're restricted to a maximum MTU/MRU of 1492 -- this is > because the protocol adds 8 octets of overhead to each packet, and the > maximum Ethernet frame size is 1500 octets. > > The ATM default MTU/MRU (at least for RFC 2225 CLIP) is 9180 octets. > I have no idea where 1454 as "optimal" for ATM might be specified. http://www.mynetwatchman.com/kb/adsl/pppoemtu.htm > > As for PPTP, that's essentially a proprietary protocol. You'll need > to contact Microsoft. Not interested in PPTP - but this faq indicates a max MTU of 1400 for WinXP http://www.dslreports.com/faq/4613 > > > Would you suspect the modem ('s inability to handle the session as > > indicated by fist ppp error message)or the linux ('s inability to > > close the ipsec session without killing all sessions) box? > > Assuming that the Linux box is the one that is acting as "IPCop as > firewall/gateway" (it's still not clear to me from the text provided), > yes, I'd suspect that the Linux box is misconfigured. It sounds as > though it's ripping up its default route. Yes it is Linux box = IPCop firewall/gateway. IPCop - www.ipcop.org. A application pulling together iptables, squid, dhcp, freeswan and snort (IDS). > > That's just a wild guess. You'll need to look at configuration files, > debug logs ("man syslog" might be a start), and the output from > "netstat -nr" (or "route -n" on Linux) on multiple machines to come up > with a cause for the problem. If I were you, I'd start with the > machine that appears to be the proximate cause of the problem -- that > "IPCop as firewall/gateway" box, and its state before and after all > connectivity is lost. Thanks James 
|
Linear Mode
