Ad Koster
2002-Nov-03 21:27 UTC
[Shorewall-users] IPSEC problem related to shorewall or FreeSwan (X509-patches)
--=-cucerKNZTE/TaSK6cYXg Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Currentry I am experiencing a weird problem with some of my IPSEC-tunnels. On the firewall I installed RH7.3 and the FreeSwan-RPMS found at http://www.spenneberg.org (this site is down for now). Shorewall 1.39b is installed as well. When a roadwarrior shuts down the connection, the VPN-server tries to send a "delete notification message" which fails and even tries to start a new connection after some time. cat /var/log/secure tells me that FreeSwan tries to communicate with the other parter via eth0 but=20 /var/log/messages (firewall logs) shows that the outgoing packets are REJECTED on ipsec0. Does anyone know what could be wrong here?=20 Thanks=20 Ad Koster --=-cucerKNZTE/TaSK6cYXg Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA9xZSvGw4trXn7iWwRAmvvAKCohqXiYhl36wArm+7GWtIOxtYRegCfZSRp 4mYy8+45XvwPM9L5byrxkMQ=019j -----END PGP SIGNATURE----- --=-cucerKNZTE/TaSK6cYXg--
Tom Eastep
2002-Nov-03 21:44 UTC
[Shorewall-users] IPSEC problem related to shorewall or FreeSwan (X509-patches)
--On Sunday, November 03, 2002 10:27 PM +0100 Ad Koster <lidad@zeelandnet.nl> wrote:> Currentry I am experiencing a weird problem with some of my > IPSEC-tunnels. > > On the firewall I installed RH7.3 and the FreeSwan-RPMS found at > http://www.spenneberg.org (this site is down for now). Shorewall 1.39b > is installed as well. > > When a roadwarrior shuts down the connection, the VPN-server tries to > send a "delete notification message" which fails and even tries to start > a new connection after some time. > > cat /var/log/secure tells me that FreeSwan tries to communicate with the > other parter via eth0 but > > /var/log/messages (firewall logs) shows that the outgoing packets are > REJECTED on ipsec0.If the firewall log shows ipsec0 then that''s the interface that is actually being used.> > Does anyone know what could be wrong here? >If these are UDP 500 packets, this can usually be corrected by naming the remote zone in the third column of your tunnels file entry: Example: ipsec 0.0.0.0/0 vpn where ''vpn'' is the zone that you use for the remote ipsec client. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net