<info@kws-netzwerke.de>
2005-Sep-07 15:32 UTC
WG: AW: AW: AW: AW: OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2
Sorry, I start from 172.16.5.152 But when I start from 172.16.5.151 its the same. Sep 7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0 SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2 -----Ursprüngliche Nachricht----- Von: info@kws-netzwerke.de [mailto:info@kws-netzwerke.de] Gesendet: Mittwoch, 7. September 2005 17:30 An: ''shorewall-users@lists.sourceforge.net'' Betreff: AW: AW: AW: AW: AW: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2 I start a ping from 172.16.5.151 Thats the result. Sep 7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0 SRC=172.16.5.152 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2 -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom Eastep Gesendet: Mittwoch, 7. September 2005 17:23 An: shorewall-users@lists.sourceforge.net Betreff: Re: AW: AW: AW: AW: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2 info@kws-netzwerke.de wrote:> Of course.. > > Here it is > > Thanks for everything >This setup *looks* correct -- what happens now if you try to send traffic through the tunnel? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep
2005-Sep-07 15:58 UTC
Re: WG: AW: AW: AW: AW: OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2
info@kws-netzwerke.de wrote:> Sorry, I start from 172.16.5.152 > > But when I start from 172.16.5.151 it’s the same. > > Sep 7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0 > SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF > PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2 >Ok -- from your "shorewall status" Chain eth0_fwd (1 references) pkts bytes target prot opt in out source destination 21293 1027K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW 0 0 loc2vpn all -- * ppp0 0.0.0.0/0 172.16.10.0/30 policy match dir out pol ipsec mode tunnel 0 0 loc2vpn all -- * ppp0 0.0.0.0/0 82.100.235.11 policy match dir out pol ipsec mode tunnel 257K 54M loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none This indicates that the ping packets are *not* matching the second rule in this chain (and they should). Please forward the output of: setkey -D and setkey -DP Thanks, -Tom PS -- hopefully you have ipsec-tools installed as ''setkey'' is part of that package. -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Sep-07 16:01 UTC
Re: WG: AW: AW: AW: AW: OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2
Tom Eastep wrote:> info@kws-netzwerke.de wrote: >>Sorry, I start from 172.16.5.152 >> >>But when I start from 172.16.5.151 it’s the same. >> >>Sep 7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0 >>SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1 DF >>PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2 >> > > Ok -- from your "shorewall status" > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out source destination > 21293 1027K dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW > 0 0 loc2vpn all -- * ppp0 0.0.0.0/0 172.16.10.0/30 policy match dir out pol ipsec mode tunnel > 0 0 loc2vpn all -- * ppp0 0.0.0.0/0 82.100.235.11 policy match dir out pol ipsec mode tunnel > 257K 54M loc2net all -- * ppp0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none > 0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none > > This indicates that the ping packets are *not* matching the second rule > in this chain (and they should). >Wait a minute! That says 172.16.10.0/30 and 172.16.10.254 is *not* in that network! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
<info@kws-netzwerke.de>
2005-Sep-07 16:12 UTC
AW: WG: AW: AW: AW: AW: OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2
Tom wrote: Wait a minute! That says 172.16.10.0/30 and 172.16.10.254 is *not* in that network! Mike: You are right and thats the solution. After changing hosts file from eth0 to ppp0 I never tried again to change from 172.16.5.0/30 to 172.16.5.252/30 The latter works but shorewall takes both?! Is that right? For my case it works now but it also should work with x.0/30 or shouldnt it? Thank you very much for your great support. Cheers Mike -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom Eastep Gesendet: Mittwoch, 7. September 2005 18:01 An: shorewall-users@lists.sourceforge.net Betreff: Re: WG: AW: AW: AW: AW: [Shorewall-users] OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2 Tom Eastep wrote:> info@kws-netzwerke.de wrote: >>Sorry, I start from 172.16.5.152 >> >>But when I start from 172.16.5.151 its the same. >> >>Sep 7 17:27:59 dtag-gw Shorewall:FORWARD:REJECT:IN=eth0 OUT=ppp0 >>SRC=172.16.5.151 DST=172.16.10.254 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=1DF>>PROTO=ICMP TYPE=8 CODE=0 ID=38199 SEQ=2 >> > > Ok -- from your "shorewall status" > > Chain eth0_fwd (1 references) > pkts bytes target prot opt in out sourcedestination> 21293 1027K dynamic all -- * * 0.0.0.0/00.0.0.0/0 state INVALID,NEW> 0 0 loc2vpn all -- * ppp0 0.0.0.0/0172.16.10.0/30 policy match dir out pol ipsec mode tunnel> 0 0 loc2vpn all -- * ppp0 0.0.0.0/082.100.235.11 policy match dir out pol ipsec mode tunnel> 257K 54M loc2net all -- * ppp0 0.0.0.0/00.0.0.0/0 policy match dir out pol none> 0 0 ACCEPT all -- * eth0 0.0.0.0/00.0.0.0/0 policy match dir out pol none> > This indicates that the ping packets are *not* matching the second rule > in this chain (and they should). >Wait a minute! That says 172.16.10.0/30 and 172.16.10.254 is *not* in that network! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Tom Eastep
2005-Sep-07 16:19 UTC
Re: AW: WG: AW: AW: AW: AW: OPENSWAN Policy with Shorewall 2.4.1, Gentoo Linux 2.6.12-r9, IPsec Tools 0.5.2
info@kws-netzwerke.de wrote:> Tom wrote: > > Wait a minute! That says 172.16.10.0/30 and 172.16.10.254 is *not* in that > network! > > Mike: > > You are right and thats the solution. After changing hosts file from eth0 to > ppp0 I never tried again to change from 172.16.5.0/30 to 172.16.5.252/30 > > The latter works but shorewall takes both?! Is that right? > > For my case it works now but it also should work with x.0/30 or shouldn’t > it?I guess that I''m not understanding your question. It will work with x.0/30 *if that''s the right network* (which it apparently wasn''t in this case). Shorewall will accept any valid syntax that you give it but you must specify the correct network for it to work properly. HTH> > Thank you very much for your great support.It was Jerry who got you on the right track -- I just picked up on a detail :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key