Hello, I have shorewall 2.2.3 installed using debian package. I am having a problem getting l2tp/ipsec vpn getting through it. Plain ipsec works I can ping the entire lan. But when I use l2tp with ipsec using xp client, I can connect fine but I can’t even ping the firewall’s local address. One would assume it is a routing issue, but when I completely disable the shorewall ipsec/l2tp works fine and I can ping the lan. Any help would be greatly appreciated. Thanks, HUR --===============2132597461=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 --===============2132597461=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Hafeez Rehman wrote:> Hello, > > I have shorewall 2.2.3 installed using debian package. I am having a > problem getting l2tp/ipsec vpn getting through it. Plain ipsec works I > can ping the entire lan. But when I use l2tp with ipsec using xp client, > I can connect fine but I can’t even ping the firewall’s local address. > One would assume it is a routing issue, but when I completely disable > the shorewall ipsec/l2tp works fine and I can ping the lan. > > Any help would be greatly appreciated.Shorewall 2.2.3 is not a supported version (yes, I know that Debian ships it but it is 14 months old which is ancient in Shorewall terms). That having been said, I would look at your log when when trying to connect via l2tp -- you can see the traffic that''s being rejected (probably UDP 1701 or UDP 4500 or Protocol 115) and can add rules accordingly. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Tom Eastep wrote:> Hafeez Rehman wrote: >> Hello, >> >> I have shorewall 2.2.3 installed using debian package. I am having a >> problem getting l2tp/ipsec vpn getting through it. Plain ipsec works I >> can ping the entire lan. But when I use l2tp with ipsec using xp client, >> I can connect fine but I can’t even ping the firewall’s local address. >> One would assume it is a routing issue, but when I completely disable >> the shorewall ipsec/l2tp works fine and I can ping the lan. >> >> Any help would be greatly appreciated. > > Shorewall 2.2.3 is not a supported version (yes, I know that Debian ships it but > it is 14 months old which is ancient in Shorewall terms). > > That having been said, I would look at your log when when trying to connect via > l2tp -- you can see the traffic that''s being rejected (probably UDP 1701 or UDP > 4500 or Protocol 115) and can add rules accordingly.You should also find this article helpful -- http://www.shorewall.net/2.0/VPNBasics.html. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks a lot Tom, I guess I need to allow ppp. 251 is the l2tp client IP. Any help would be appreciated. Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=192.168.1.1 DST=192.168.1.251 LEN=124 T OS=0x00 PREC=0xC0 TTL=64 ID=17001 PROTO=ICMP TYPE=3 CODE=3 [SRC=192.168.1.251 DS T=192.168.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=4734 PROTO=UDP SPT=137 DPT=13 7 LEN=76 ] HUR>From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> >To: Shorewall Users <shorewall-users@lists.sourceforge.net> >Subject: Re: [Shorewall-users] L2TP/IPSEC >Date: Tue, 27 Jun 2006 11:54:53 -0700 > >Tom Eastep wrote: > > Hafeez Rehman wrote: > >> Hello, > >> > >> I have shorewall 2.2.3 installed using debian package. I am having a > >> problem getting l2tp/ipsec vpn getting through it. Plain ipsec works I > >> can ping the entire lan. But when I use l2tp with ipsec using xp >client, > >> I can connect fine but I can’t even ping the firewall’s local address. > >> One would assume it is a routing issue, but when I completely disable > >> the shorewall ipsec/l2tp works fine and I can ping the lan. > >> > >> Any help would be greatly appreciated. > > > > Shorewall 2.2.3 is not a supported version (yes, I know that Debian >ships it but > > it is 14 months old which is ancient in Shorewall terms). > > > > That having been said, I would look at your log when when trying to >connect via > > l2tp -- you can see the traffic that''s being rejected (probably UDP 1701 >or UDP > > 4500 or Protocol 115) and can add rules accordingly. > >You should also find this article helpful -- >http://www.shorewall.net/2.0/VPNBasics.html. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >><< signature.asc >>>Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job >easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users--===============0927791382=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 --===============0927791382=Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
Hafeez Rehman wrote:> Thanks a lot Tom, > > I guess I need to allow ppp. 251 is the l2tp client IP. Any help would > be appreciated. > > Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=192.168.1.1 DST=192.168.1.251 > LEN=124 T > OS=0x00 PREC=0xC0 TTL=64 ID=17001 PROTO=ICMP TYPE=3 CODE=3 > [SRC=192.168.1.251 DS > T=192.168.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=4734 PROTO=UDP > SPT=137 DPT=13 > 7 LEN=76 ]Please see http://www1.shorewall.net/VPNBasics.html Everything you need is in the sections entitles "Defining the Zones" and "Allowing Traffic". Given that you are running 2.2.x, the /etc/shorewall/zones entry that you need has a little different format but I''m sure you can figure that out. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hafeez Rehman wrote:> Thanks a lot Tom, > > I guess I need to allow ppp. 251 is the l2tp client IP. Any help would > be appreciated. > > Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=192.168.1.1 DST=192.168.1.251 > LEN=124 T > OS=0x00 PREC=0xC0 TTL=64 ID=17001 PROTO=ICMP TYPE=3 CODE=3 > [SRC=192.168.1.251 DS > T=192.168.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=4734 PROTO=UDP > SPT=137 DPT=13 > 7 LEN=76 ]Please see http://www1.shorewall.net/VPNBasics.html Everything you need is in the sections entitles "Defining the Zones" and "Allowing Traffic". Given that you are running 2.2.x, the /etc/shorewall/zones entry that you need has a little different format but I''m sure you can figure that out. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Thanks for all your help Tom, It is working ok now. Allowing ppp in fixed the problem. HR>From: Tom Eastep <teastep@shorewall.net> >Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net> >To: Shorewall Users <shorewall-users@lists.sourceforge.net> >Subject: Re: [Shorewall-users] L2TP/IPSEC >Date: Tue, 27 Jun 2006 17:31:45 -0700 > >Hafeez Rehman wrote: > > Thanks a lot Tom, > > > > I guess I need to allow ppp. 251 is the l2tp client IP. Any help would > > be appreciated. > > > > Shorewall:OUTPUT:REJECT:IN= OUT=ppp0 SRC=192.168.1.1 DST=192.168.1.251 > > LEN=124 T > > OS=0x00 PREC=0xC0 TTL=64 ID=17001 PROTO=ICMP TYPE=3 CODE=3 > > [SRC=192.168.1.251 DS > > T=192.168.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=128 ID=4734 PROTO=UDP > > SPT=137 DPT=13 > > 7 LEN=76 ] > >Please see http://www1.shorewall.net/VPNBasics.html > >Everything you need is in the sections entitles "Defining the Zones" and >"Allowing Traffic". Given that you are running 2.2.x, the >/etc/shorewall/zones entry that you need has a little different format >but I''m sure you can figure that out. > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >><< signature.asc >>>Using Tomcat but need to do more? Need to support web services, security? >Get stuff done quickly with pre-integrated technology to make your job >easier >Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo >http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642>_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-usersUsing Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642