Enhancement #3326

ipsec tunnels firewall to firewall

Added by Filippo Carletti almost 4 years ago. Updated almost 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-ipsec
Target version:v6.7
Resolution: NEEDINFO:No

Description

ipsec tunnels connect local and remote lan, but not local and remote firewalls, i.e. system in both lan can talk, but trying to ping the remote firewall will fail.
Usually, the workaround is to create another tunnel between the firewalls.
A better option is to use the leftsourceip field in ipsec.conf.

Associated revisions

Revision 61b8b216
Added by Giacomo Sanchietti almost 4 years ago

IPSec tunnels: automatically set leftsourceip. Refs #3326

Revision 969314f1
Added by Giacomo Sanchietti almost 4 years ago

db: migrate %left from ip to ethernet name. Refs #3326

Revision a5616f99
Added by Giacomo Sanchietti almost 4 years ago

Web UI: use interfaces for %left field. Refs #3326

Revision eb3e0f6b
Added by Giacomo Sanchietti almost 4 years ago

Web UI: allow %any value for %right field. Refs #3326

Revision 783a67ab
Added by Davide Principi almost 4 years ago

Updated translation label and online help. Refs #3326

Revision e9548d08
Added by Davide Principi almost 4 years ago

IpsecTunnels UI: generate default identifier if field is empty. Refs #3326

Revision 76b1ce88
Added by Davide Principi almost 4 years ago

IPsec tunnels %any. Refs #3326

Support for %any in Remote IP field [italiano]

Revision 570a7e46
Added by Davide Principi almost 4 years ago

Merge pull request #89 from NethServer/ipsec-support-any

IPsec tunnels %any. Refs #3326

History

#1 Updated by Filippo Carletti almost 4 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

#2 Updated by Filippo Carletti almost 4 years ago

leftsourceip should be set to the firewall ip address contained in the first local subnet.
No other option is needed.
Pseudo code:
for each $myips
if $myip is in $leftsubnet then $leftsourceip=$myip

#3 Updated by Giacomo Sanchietti almost 4 years ago

  • Category set to nethserver-ipsec
  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti almost 4 years ago

We can improve the web interface by allowing the user to choose any type of network interface for the "Local IP" field.
The list should also include red interfaces configured with DHCP.

Also allow the %any value for %right field to enable creation of tunnels with hosts behind NAT.

#6 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
In nethserver-testing:
  • nethserver-ipsec-1.1.2-1.6.geb3e0f6.ns6.noarch.rpm
Test case 1
  • Create a tunnel between two firewalls
  • Check each firewall can ping each other
Test case 2
  • Create a tunnel before then upgrade the package
  • Check the tunnel is still working
Test case 3
  • Try to create a tunnel with a firewall behind NAT
  • Set %any as "Remote IP"
  • Make sure the field allows only IP or %any value
  • If the value is %any the web interface must enforce to set a valid "Remote identifier" and "Local identifier", both must start with @ character

#7 Updated by Davide Principi almost 4 years ago

  • Assignee set to Davide Principi

#8 Updated by Giovanni Bezicheri almost 4 years ago

  • Assignee changed from Davide Principi to Giovanni Bezicheri

#9 Updated by Giovanni Bezicheri almost 4 years ago

  • Assignee deleted (Giovanni Bezicheri)

#10 Updated by Davide Principi almost 4 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

System and Package Version installed
Package Installed: nethserver-ipsec-1.1.2-1.ns6.noarch

Test Original Problem
A tunnel endpoint cannot ping the private IP of the other side

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-ipsec-1.1.2-1.6.geb3e0f6.ns6.noarch

Test Results after update
  • After updating to the modified version an endpoint can ping the private IP address of the other endpoint (test case 1)
  • Other hosts in private (green) networks are reachable (test case 2)
  • The %any value as Remote IP requires the @ form, thought the validator message is not translated correctly:
    Remote identifier
    id_notempty
    
  • The connection successfully started from the host behind NAT, where the remote IP was given explicitly (test case 3)
  • If the Local identifier field is empty, the nethserver-ipsec-ids action assign %ethX automatically, which is a non-IP and non-@prefix value

Verified Or Reopen
REOPEN, fix nethserver-ipsec-ids action, by moving the set_prop() call in the UI code.
Actions should not change the DB!

Notes
(Test case 3) on the endpoint where %any was specified the following log line appeared, as expected

Nov 27 17:05:02 firewall pluto[29185]: "nh-ran_ipsec-tunnel/1x1": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

  • Update the administrator manual
  • Fixed the validator label

#11 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#12 Updated by Davide Principi almost 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case 4

If local or remote identifier field is empty, check the value displayed by the field watermark is assigned when the record is saved.

Accepted must be
  • IP address
  • hostname with @ prefix

#13 Updated by Davide Principi almost 4 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing
nethserver-ipsec-1.1.2-1.9.ge9548d0.ns6.noarch.rpm

Admin's manual PR:
https://github.com/NethServer/nethserver-docs/pull/88
https://github.com/NethServer/nethserver-docs/pull/89

#14 Updated by Giacomo Sanchietti almost 4 years ago

  • Assignee set to Giacomo Sanchietti

#15 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

Test case 4 verified.

#16 Updated by Giacomo Sanchietti almost 4 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-ipsec-1.1.3-1.ns6.noarch.rpm

Also available in: Atom PDF