This has been the most annoying experience. It turns out that our service
provider screwed up the rules on their own firewall which was blocking upd 4500.
Thankyou to everyone that tried to help with this.
Regards,
Peter
-----Original Message-----
From: shorewall-users-bounces@lists.sourceforge.net
[mailto:shorewall-users-bounces@lists.sourceforge.net]On Behalf Of Russel
Sent: Thursday, 19 April 2007 2:33 AM
To: Shorewall Users
Subject: Re: [Shorewall-users] IPSec Passthrough fails whenusingCiscoVPNclient
>Any ideas?
I work offsite from my company''s main corporate offices. The office
where I work does not allow any traffic in or out of their firewall
without making a formal request to the IT department. I needed to find
out what ports the Cisco VPN used, so I used Shorewall to help me figure
it out. Here is what I did:
Just below the "SECTION NEW" in the rules file, I added this rule:
REJECT:info loc:10.240.5.128 net
10.240.5.128 is the IP address of the system that is trying to connect
using the Cisco VPN.
I then restarted Shorewall and tried to connect with the Cisco VPN. With
the above rule added, my log got several instances of the following
message:
Apr 18 10:07:34 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0
OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30
LEN=898 TOS=0x00 PREC=0x00 TTL=127 ID=30661 PROTO=UDP SPT=500 DPT=500
LEN=878
(You should probably ignore the PHYSIN=tap0 -- I conducted this testing
over another VPN -- I used OpenVPN to connect from work to my home and
then tried using the Cisco VPN client to connect to the corporate office
through my home internet connection. The results would be the same if I
had been in my home.)
The "PROTO=UDP SPT=500 DPT=500" part of the log prompted me to add the
following rule above my previous REJECT rule:
ACCEPT:info loc:10.240.5.128 net UDP 500
I restarted Shorewall again and gave it another try. This time I
received the following messages in my log file:
Apr 18 10:11:07 server kern.info kernel: Shorewall:loc2net:REJECT:IN=br0
OUT=br1 PHYSIN=tap0 PHYSOUT=vlan1 SRC=10.240.5.128 DST=208.37.144.30
LEN=29 TOS=0x00 PREC=0x00 TTL=127 ID=33539 PROTO=UDP SPT=4500 DPT=4500
LEN=9
The "PROTO=UDP SPT=4500 DPT=4500" part of the log message indicated
that
I needed to change my accept rule to the following:
ACCEPT:info loc:10.240.5.128 net UDP 500,4500
After restarting Shorewall, everything worked. I submitted a request to
the IT department to allow outbound UDP ports 500 and 4500. Now I can
connect directly without any trouble.
>I have tried to remove shorewall from the equation by doing the
>following with no luck.
>sudo shorewall clear
>sudo iptables -t nat -A POSTROUTING -o eth0 -s 192.168.118.0/24 -j
>MASQUERADE
The above steps from your original post pretty much prove Shorewall
can''t be causing any problems, but you might want to try and use its
logging facilities to help you track down if there is some other
problem.
Just an idea
-Russel
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/