hi list,
i have a problem to create a ipsec connection.
here my description
i have two locations with shorewall (3.2.9) firewalls.
location a: 172.31.0.0/20 - suse10.2 - kernel 2.6.18.2-34-default -
Policy Match: Available - eth2=wan - eth0=lan
location b: 172.31.16.0/20 - suse 10.0 - kernel 2.6.13-15.13-default -
Policy Match: Available - dsl0=wan - eth1=lan
so far they both work fine. now i want to connect them by ipsec.
i configured racoon
in /var/log/messages i can see 2 lines
Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: ESP/Tunnel
213.23.xxx.xxx[0]->87.139.xxx.xxx[0] spi=6115338(0x5d500a)
Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: ESP/Tunnel
87.139.xxx.xxx[0]->213.23.xxx.xx[0] spi=152085169(0x910a2b1)
in shorewall i useded this config:
/etc/shorewall/tunnels
a:
ipsec net 87.139.xxx.xxx
b:
ipsec net 213.23.xxx.xxx
/etc/shorewall/zones
a:
vpnb ipv4
net ipv4
fw firewall
loc ipv4
b:
vpna ipv4
net ipv4
fw firewall
loc ipv4
/etc/shorewall/hosts
a:
vpnb eth2:172.31.0.0/20,87.139.xxx.xxx ipsec
b:
vpna dsl0:172.31.16.0/20,213.23.xxx.xxx ipsec
/etc/shorewall/masq
a:
eth2 eth0
b:
dsl0 eth1
if i ping from a lanclient (location a) to a lanclient (location b) i get
this:
Feb 23 13:09:31 fw kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth2
SRC=172.31.10.2 DST=172.31.29.13 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=9068
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27136
what is wrong here?
kind regards
peter
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
one additional info if i ping from a lanclient (location a) to firewall (location b) i get this: firewall a: Feb 23 15:08:08 fw kernel: Shorewall:loc2vpnka:ACCEPT:IN=eth0 OUT=eth2 SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=42595 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=31232 firewall b: Feb 23 15:08:08 fw kernel: Shorewall:INPUT:DROP:IN=dsl0 OUT= MAC= SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=51126 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33280 policy allows vpn <=> loc vpn <=> fw shorewall-users-bounces@lists.sourceforge.net schrieb am 23.02.2007 13:48:43:> > hi list, > > i have a problem to create a ipsec connection. > > here my description > i have two locations with shorewall (3.2.9) firewalls. > location a: 172.31.0.0/20 - suse10.2 - kernel 2.6.18.2-34- > default - Policy Match: Available - eth2=wan - eth0=lan > > location b: 172.31.16.0/20 - suse 10.0 - kernel 2.6.13-15.13-default > - Policy Match: Available - dsl0=wan - eth1=lan > > so far they both work fine. now i want to connect them by ipsec. > i configured racoon > in /var/log/messages i can see 2 lines > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: > ESP/Tunnel 213.23.xxx.xxx[0]->87.139.xxx.xxx[0] spi=6115338(0x5d500a) > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: > ESP/Tunnel 87.139.xxx.xxx[0]->213.23.xxx.xx[0] spi=152085169(0x910a2b1) > > > in shorewall i useded this config: > > /etc/shorewall/tunnels > a: > ipsec net 87.139.xxx.xxx > b: > ipsec net 213.23.xxx.xxx > > > /etc/shorewall/zones > a: > vpnb ipv4 > net ipv4 > fw firewall > loc ipv4 > b: > vpna ipv4 > net ipv4 > fw firewall > loc ipv4 > > /etc/shorewall/hosts > a: > vpnb eth2:172.31.0.0/20,87.139.xxx.xxx ipsec > b: > vpna dsl0:172.31.16.0/20,213.23.xxx.xxx ipsec > > /etc/shorewall/masq > a: > eth2 eth0 > b: > dsl0 eth1 > > > if i ping from a lanclient (location a) to a lanclient (location b) > i get this: > > Feb 23 13:09:31 fw kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth2 > SRC=172.31.10.2 DST=172.31.29.13 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=9068 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27136 > > > > what is wrong here? > > kind regards > peter > >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
sorry for the inconvenience i caused, i found the error. in both the /etc/shorewall/hosts i mixed the lan-ips. now everything works fine. shorewall is great! :-) shorewall-users-bounces@lists.sourceforge.net schrieb am 23.02.2007 15:31:04:> > one additional info > > if i ping from a lanclient (location a) to firewall (location b) i getthis:> > firewall a: > Feb 23 15:08:08 fw kernel: Shorewall:loc2vpnka:ACCEPT:IN=eth0 > OUT=eth2 SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 > PREC=0x00 TTL=127 ID=42595 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=31232 > > firewall b: > Feb 23 15:08:08 fw kernel: Shorewall:INPUT:DROP:IN=dsl0 OUT= MAC= > SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127 > ID=51126 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33280 > > policy allows > vpn <=> loc > vpn <=> fw > > > > shorewall-users-bounces@lists.sourceforge.net schrieb am 23.02.200713:48:43:> > > > > hi list, > > > > i have a problem to create a ipsec connection. > > > > here my description > > i have two locations with shorewall (3.2.9) firewalls. > > location a: 172.31.0.0/20 - suse10.2 - kernel 2.6.18.2-34- > > default - Policy Match: Available - eth2=wan - eth0=lan > > > > location b: 172.31.16.0/20 - suse 10.0 - kernel 2.6.13-15.13-default > > - Policy Match: Available - dsl0=wan - eth1=lan > > > > so far they both work fine. now i want to connect them by ipsec. > > i configured racoon > > in /var/log/messages i can see 2 lines > > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: > > ESP/Tunnel 213.23.xxx.xxx[0]->87.139.xxx.xxx[0] spi=6115338(0x5d500a) > > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established: > > ESP/Tunnel 87.139.xxx.xxx[0]->213.23.xxx.xx[0]spi=152085169(0x910a2b1)> > > > > > in shorewall i useded this config: > > > > /etc/shorewall/tunnels > > a: > > ipsec net 87.139.xxx.xxx > > b: > > ipsec net 213.23.xxx.xxx > > > > > > /etc/shorewall/zones > > a: > > vpnb ipv4 > > net ipv4 > > fw firewall > > loc ipv4 > > b: > > vpna ipv4 > > net ipv4 > > fw firewall > > loc ipv4 > > > > /etc/shorewall/hosts > > a: > > vpnb eth2:172.31.0.0/20,87.139.xxx.xxx ipsec > > b: > > vpna dsl0:172.31.16.0/20,213.23.xxx.xxx ipsec > > > > /etc/shorewall/masq > > a: > > eth2 eth0 > > b: > > dsl0 eth1 > > > > > > if i ping from a lanclient (location a) to a lanclient (location b) > > i get this: > > > > Feb 23 13:09:31 fw kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth2 > > SRC=172.31.10.2 DST=172.31.29.13 LEN=60 TOS=0x00 PREC=0x00 TTL=127 > > ID=9068 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27136 > > > > > > > > what is wrong here? > > > > kind regards > > peter > > > >-------------------------------------------------------------------------> > Take Surveys. Earn Cash. Influence the Future of IT > > Join SourceForge.net''s Techsay panel and you''ll get the chance toshare your> > opinions on IT & business topics through brief surveys-and earn cash > >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> > _______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users >-------------------------------------------------------------------------> Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net''s Techsay panel and you''ll get the chance to shareyour> opinions on IT & business topics through brief surveys-and earn cash >http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV> _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
peter.draeger@helvetia.de wrote:> > sorry for the inconvenience i caused, i found the error. > in both the /etc/shorewall/hosts i mixed the lan-ips. > > now everything works fine. >Thanks for letting us know -- I was in the process of responding to your original messages and the error you found is consistent with what I saw.> > shorewall is great! :-) >Glad to hear that it is working for you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV