Where would I need to look for this trouble.
May 19 18:54:10 ns1 kernel: Shorewall:net2all:DROP:IN=eth0
OUTMAC=00:04:e2:17:b6:64:00:60:49:80:16:46:08:00 SRC=65.203.186.150
DST=64.42.53.202 LEN=136 TOS=0x00 PREC=0x00 TTL=52 ID=21110 PROTO=ESP
SPI=0xf67a5fe2
I have this vpn working and replying on ipsec, cant figure out why
shorewall is rejecting the ESP protocall.
It was also rejecting port 500 UDP until I wrote a rule to accept 500.
Is shorewall supposed to auto add these with this added to tunnels file?
Thank you,
Mike
version
2.0.2a
tunnels
# TYPE ZONE GATEWAY GATEWAY
# ZONE
ipsec vpn 65.203.186.150
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
zones
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routestopped,norfc1918,routefilter
loc eth1 detect dhcp
vpn ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
rules
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT loc fw tcp 53
ACCEPT loc fw udp 53
ACCEPT net fw tcp 53
ACCEPT net fw udp 53
ACCEPT fw loc tcp 53
ACCEPT fw loc udp 53
#
ACCEPT net:65.203.186.150 fw udp 500
#
# Accept SSH connections from the local network for administration
#
ACCEPT loc fw tcp 80
ACCEPT loc fw tcp 22
ACCEPT net fw tcp 10000
ACCEPT net fw tcp 22
ACCEPT loc fw tcp 10000
REDIRECT loc 3128 tcp www - !10.19.227.1
DNAT net:206.180.25.125 loc:10.19.227.8 tcp 443
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
#
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
Policy
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc net ACCEPT
vpn loc ACCEPT
loc vpn ACCEPT
vpn1 loc ACCEPT
loc vpn1 ACCEPT
fw vpn ACCEPT
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
fw net ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Mike Lander wrote:> Where would I need to look for this trouble. > May 19 18:54:10 ns1 kernel: Shorewall:net2all:DROP:IN=eth0 OUT> MAC=00:04:e2:17:b6:64:00:60:49:80:16:46:08:00 SRC=65.203.186.150 > DST=64.42.53.202 LEN=136 TOS=0x00 PREC=0x00 TTL=52 ID=21110 PROTO=ESP > SPI=0xf67a5fe2 > > I have this vpn working and replying on ipsec, cant figure out why > shorewall is rejecting the ESP protocall. > It was also rejecting port 500 UDP until I wrote a rule to accept 500. > Is shorewall supposed to auto add these with this added to tunnels file? > > Thank you, > > Mike > version > 2.0.2a > > > tunnels > # TYPE ZONE GATEWAY GATEWAY > # ZONE > ipsec vpn 65.203.186.15065.203.186.150 is in the ''net'' zone!!!! -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom wrote,> > tunnels > > # TYPE ZONE GATEWAY GATEWAY > > # ZONE > > ipsec vpn 65.203.186.150 > > 65.203.186.150 is in the ''net'' zone!!!!Duh, earth to Landers Thanks Tom Also I wonder if you can shed some light on this post when I run: service ipsec restart I get: WARNING: changing route filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)----Note this May 19 19:20:48 ns1 ipsec_setup: ...FreeS/WAN IPsec stopped May 19 19:20:48 ns1 ipsec_setup: Starting FreeS/WAN IPsec 2.06... May 19 19:20:48 ns1 ipsec_setup: Using /lib/modules/2.4.22-1.2115.nptl/kernel/net/ipsec/ipsec.o May 19 19:20:48 ns1 kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 2.06 May 19 19:20:48 ns1 ipsec_setup: KLIPS debug `none'' May 19 19:20:49 ns1 kernel: May 19 19:20:49 ns1 ipsec_setup: KLIPS ipsec0 on eth0 64.42.53.202/255.255.255.248 broadcast 64.42.53.207 May 19 19:20:49 ns1 ipsec_setup: WARNING: changing route filtering on eth0 (changing /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)----Note this May 19 19:20:49 ns1 ipsec_setup: ...FreeS/WAN IPsec started
Mike Lander wrote:> Tom wrote, > >>>tunnels >>># TYPE ZONE GATEWAY GATEWAY >>># ZONE >>>ipsec vpn 65.203.186.150 >> >>65.203.186.150 is in the ''net'' zone!!!! > > > > Duh, earth to Landers > Thanks Tom > Also I wonder if you can shed some light on this post when I run: > service ipsec restart > I get: WARNING: changing route filtering on eth0 (changing > /proc/sys/net/ipv4/conf/eth0/rp_filter from 1 to 0)----Note this >The way that FreeS/Wan perverts the routing table, route filtering doesn''t work on the external interface. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net