Shorewall users - Feb 2006 - WG: AW: WG: proxyarp <--> OpenSwan VPN/Internet

I´ve figured out the following. 

I am able to sftp from shorewall 2.4.2 left vpn gateway x.x.x.14 (DMZ) to
shorewall 2.4.1 fw x.x.x.11 with /etc/shorewall/proxyarp

x.x.x.14   eth2            eth0            No

very well. That´s not through a tunnel (of course a ssh tunnel, but no vpn)
but with public ip x.x.x.14 to x.x.x.11

If I try to sftp through the fw to the public internet I have the same
problems as mentioned before. 

I am able to read/write my providers router config. I´ts a cisco and I found
mtu 1456 and encapsulation ppp.

The solution still seems to be far away. I have many facts, but I don´t know
where they have to fit. 

My dmz host doesn´t like talking to the internet. Talking to fw and to local
works very well. 

I will go on trying and changing mtu, mss and some other things. 

If there is any idea left, please let me know. Thanks in anvance.  

Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: info@kws-netzwerke.de [mailto:info@kws-netzwerke.de] 
Gesendet: Dienstag, 7. Februar 2006 21:18
An: ''shorewall-users@lists.sourceforge.net''
Betreff: AW: AW: WG: [Shorewall-users] proxyarp <--> OpenSwan VPN/Internet


Shorewall 2.4.2 on left vpn gate with ip x.x.x.14
Shorewall 2.4.1 on right gate with ip y.y.y.212
Shorewall 2.4.1 on fw with ip x.x.x.11 and /etc/shorewall/proxyarp x.x.x.14
eth2            eth0            No

I don´t know any IPSEC settings in /etc/shorewall/sohrewall.conf. I only
know about /etc/shorewall/ipsec and tried out many things like this.

vpn     yes     mode=tunnel             mss=1300(1400/1500)
mss=1300(1400/1500)

At this point I don´t think that it has anything to do with
/etc/shorewall/ipsec, openswan or anything from the vpn. The troubles are
always present if I start transfer jobs from x.x.x.14 (through the tunnel
and through the public internet) which is configured in
/etc/shorewall/proxyarp in another box with ip x.x.x.11. x.x.x.11 is the one
which is connected to my sdsl provider. 

Cheers
Mike

-----Ursprüngliche Nachricht-----
Von: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Tom
Eastep
Gesendet: Dienstag, 7. Februar 2006 16:13
An: shorewall-users@lists.sourceforge.net
Betreff: Re: AW: WG: [Shorewall-users] proxyarp <--> OpenSwan VPN/Internet

On Tuesday 07 February 2006 07:01, info@kws-netzwerke.de
wrote:
> I´ve tried to play with mss values in /et	c/shorewall/ipsec
>
> vpn     yes     mode=tunnel             mss=1400(1500,1384,1416,1452,1344)
Which version of Shorewall are you running and what is your setting for 
IPSECFILE (if any) in /etc/shorewall/shorewall.conf?
>
> After all I decided to leave /etc/shorewall/ipsec empty. Further the
> problem seems to be out of the tunnel, too. I think ipsec file won´t help
> with issues out of the ipsec tunnel.
>
That''s exactly what it''s for!

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users



-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642