Im running shorewall 3.0.4 RH FC4 Patched My problem is this, im running a VPN from Network 192.168.243.0/24 to 192.168.108.0/24 If I do shorewall clear we can transmit information between the vpn if I do shorewall start I get this Feb 10 11:01:15 rtr1250f kernel: RTR1250_FW:FORWARD:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.253.48 DST=192.168.108.254 LEN=60 TOS=0x00 P REC=0x00 TTL=63 ID=64994 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=20998 Feb 10 11:01:16 rtr1250f kernel: RTR1250_FW:FORWARD:REJECT:IN=eth0 OUT=ppp0 SRC=192.168.253.48 DST=192.168.108.254 LEN=60 TOS=0x00 P REC=0x00 TTL=63 ID=65000 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=21254 This is my configuration Zones file net ipv4 fw firewall loc ipv4 vpn ipsec mode=tunnel mss=1400 Interfaces file net ppp0 loc eth0 Policy file $FW net ACCEPT loc net ACCEPT loc $FW ACCEPT loc vpn ACCEPT vpn loc ACCEPT net net DROP all all REJECT info Hosts file vpn eth0:0.0.0.0/0 shorewall show capabilities NAT: Available Packet Mangling: Available Multi-port Match: Available Extended Multi-port Match: Available Connection Tracking Match: Available Packet Type Match: Available Policy Match: Available Physdev Match: Available IP range Match: Available Recent Match: Available Owner Match: Available Ipset Match: Not available CONNMARK Target: Available Connmark Match: Available Raw Table: Available CLASSIFY Target: Available Thanks Fernando Rodriguez V.
On Friday 10 February 2006 09:13, Fernando Rodriguez wrote:> Im running shorewall 3.0.4 RH FC4 PatchedI assume that you have all of the IPSEC/NAT patches in addition to the policy match patch?> > My problem is this, im running a VPN from Network 192.168.243.0/24 to > 192.168.108.0/24 > > > If I do shorewall clear we can transmit information between the vpn if I do > shorewall start I get this > > Feb 10 11:01:15 rtr1250f kernel: RTR1250_FW:FORWARD:REJECT:IN=eth0 OUT=ppp0 > SRC=192.168.253.48 DST=192.168.108.254 LEN=60 TOS=0x00 P > REC=0x00 TTL=63 ID=64994 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=20998 > Feb 10 11:01:16 rtr1250f kernel: RTR1250_FW:FORWARD:REJECT:IN=eth0 OUT=ppp0 > SRC=192.168.253.48 DST=192.168.108.254 LEN=60 TOS=0x00 P > REC=0x00 TTL=63 ID=65000 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=21254 > > This is my configuration >Your config looks ok but without "shorewall dump" output, I won''t even guess what is wrong (see http://www.shorewall.net/support.htm for the correct way to collect a useful dump). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Friday 10 February 2006 09:13, Fernando Rodriguez wrote:> > Zones file > > net ipv4 > fw firewall > loc ipv4 > vpn ipsec mode=tunnel mss=1400 >One possible explaination would be that you either have IPSECFILE=ipsec or you are missing IPSECFILE altogether in /etc/shorewall/shorewall.conf. You need IPSECFILE=zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
This is the shorewall dump. Thanks -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: Viernes, 10 de Febrero de 2006 11:43 a.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] IPSEC 2.6 On Friday 10 February 2006 09:13, Fernando Rodriguez wrote:> > Zones file > > net ipv4 > fw firewall > loc ipv4 > vpn ipsec mode=tunnel mss=1400 >One possible explaination would be that you either have IPSECFILE=ipsec or you are missing IPSECFILE altogether in /etc/shorewall/shorewall.conf. You need IPSECFILE=zones. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
On Friday 10 February 2006 09:54, Fernando Rodriguez wrote:> This is the shorewall dump. >I think your host file entry is wrong -- shouldn''t it be: vpn ppp0:0.0.0.0/0 ??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Problem solved .. vpn ppp0:0.0.0.0/0 was the issue Thank You verry much for your help .. -----Mensaje original----- De: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] En nombre de Tom Eastep Enviado el: Viernes, 10 de Febrero de 2006 12:01 p.m. Para: shorewall-users@lists.sourceforge.net Asunto: Re: [Shorewall-users] IPSEC 2.6 On Friday 10 February 2006 09:54, Fernando Rodriguez wrote:> This is the shorewall dump. >I think your host file entry is wrong -- shouldn''t it be: vpn ppp0:0.0.0.0/0 ??? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642