Hi, I recently upgraded a two-interface box from 2.x to 3.2.6 on Debian Etch, Linux 2.6.17. We run openswan on the box as well for road warriors. I have read http://www.shorewall.net/IPSEC-2.6.html, but no dice. I note that the link mentions raccoon, but I hope that openswan works with this setup, as we have always used it and these things aren''t trivial to configure. A ping to a machine behind the VPN (192.168.168.10) returns a tcpdump from the firewall like this: 16:08:36.972191 IP 82.69.161.254 > 82.68.107.174: ICMP host 82.69.161.254 unreachable - admin prohibited, length 112 82.69.161.254 is the public address of the firewall. 82.68.107.174 is the router that my road warrior is sitting behind. The IPsec SA comes up with no problem and all other firewall services work. When I stop shorewall, my pings from road warrior to vpn zone do work. This used to work with Linux 2.4. Can anybody assist? I suspect it is to do with policy matching but I don''t really know enough about the detail to know where to go from here. I have put a dump at http://www.wayforth.co.uk/Members/antony/shorewall_dump/. Antony ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Antony Gelberg wrote:> > This used to work with Linux 2.4. Can anybody assist? I suspect it is > to do with policy matching but I don''t really know enough about the > detail to know where to go from here. I have put a dump at > http://www.wayforth.co.uk/Members/antony/shorewall_dump/.You appear to be doing IPIP encapsulation within the IPSEC SA. So you need to define the IPIP tunnel as well. /etc/shorewall/tunnels: #TYPE ZONE GATEWAY ipip vpn 82.68.107.174 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep wrote:> Antony Gelberg wrote: >> This used to work with Linux 2.4. Can anybody assist? I suspect it is >> to do with policy matching but I don''t really know enough about the >> detail to know where to go from here. I have put a dump at >> http://www.wayforth.co.uk/Members/antony/shorewall_dump/. > > You appear to be doing IPIP encapsulation within the IPSEC SA. So you need > to define the IPIP tunnel as well. > > /etc/shorewall/tunnels: > > #TYPE ZONE GATEWAY > ipip vpn 82.68.107.174 >Great, thank you! Just for my knowledge, how did you know that? We''ve been using openswan like this for years and I''ve never even heard of IPIP. Antony ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Antony Gelberg wrote:> Tom Eastep wrote: >> Antony Gelberg wrote: >>> This used to work with Linux 2.4. Can anybody assist? I suspect it is >>> to do with policy matching but I don''t really know enough about the >>> detail to know where to go from here. I have put a dump at >>> http://www.wayforth.co.uk/Members/antony/shorewall_dump/. >> You appear to be doing IPIP encapsulation within the IPSEC SA. So you need >> to define the IPIP tunnel as well. >> >> /etc/shorewall/tunnels: >> >> #TYPE ZONE GATEWAY >> ipip vpn 82.68.107.174 >> > > Great, thank you! Just for my knowledge, how did you know that? We''ve > been using openswan like this for years and I''ve never even heard of IPIP.From the dump (from /var/log/messages): Jan 19 15:52:24 all2all:REJECT:IN=eth0 OUT= SRC=82.68.107.174 DST=82.69.161.254 LEN=104 TOS=0x00 PREC=0x00 TTL=57 ID=18630 DF PROTO=4 Protocol 4 is IPIP. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys - and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV