Hello - I was sucessfully able to test site-to-site vpn but I found on BUG? I have a dynamic IP, so i would prefer to type in my host name rather than the IP address. So when I enter the hostname instead of the IP address it complains when I restart shorewall with the following errors: Processing /etc/shorewall/tunnels... iptables v1.2.7: host/network `testbox.testbox.net'' not found Try `iptables -h'' or ''iptables --help'' for more information. Terminated BUT it works with the IP address. I even tried adding the name into the param file and refer to the variable name but got the same error message. Kinda wondering why it does not accept my fully qualified hostname. Cheers shazad.
Shazad Malik wrote:> Hello - > > I was sucessfully able to test site-to-site vpn but I found on BUG? > > I have a dynamic IP, so i would prefer to type in my host name rather than > the IP address. So when I enter the hostname instead of the IP address it > complains when I restart shorewall with the following errors: > > Processing /etc/shorewall/tunnels... > iptables v1.2.7: host/network `testbox.testbox.net'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > Terminated > > BUT it works with the IP address. I even tried adding the name into the > param file and refer to the variable name but got the same error message. > Kinda wondering why it does not accept my fully qualified hostname.Because Shorewall DOES NOT ACCEPT FQDNs -- see FAQ #9 (http://www.shorewall.net/FAQ.htm#faq9). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
hmmmm, Thanks for the express response!!! FAQ #9 states: So change in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall''s ruleset. OK but that does not resolve/help a situation where the IP is dynamic via DSL/cable! That means you have to keep a constant check on the remote site IP''s whether or not they have changed as compared to a hostname where I never have to worry about IP''s as they get resolved to their corressponding IP. Unless i am missing something else.... plez hit me ;-). I see your point about "trying to protect people from themselves." But for atleast VPN with dynamic IP''s you cant afford to trace when will a IP change. cheers shazad -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, September 23, 2002 5:14 PM To: Shazad Malik Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] IPSEC question? maybe a bug? anyone! Shazad Malik wrote:> Hello - > > I was sucessfully able to test site-to-site vpn but I found on BUG? > > I have a dynamic IP, so i would prefer to type in my host name rather than > the IP address. So when I enter the hostname instead of the IP addressit> complains when I restart shorewall with the following errors: > > Processing /etc/shorewall/tunnels... > iptables v1.2.7: host/network `testbox.testbox.net'' not found > Try `iptables -h'' or ''iptables --help'' for more information. > Terminated > > BUT it works with the IP address. I even tried adding the name into the > param file and refer to the variable name but got the same error message. > Kinda wondering why it does not accept my fully qualified hostname.Because Shorewall DOES NOT ACCEPT FQDNs -- see FAQ #9 (http://www.shorewall.net/FAQ.htm#faq9). -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Shazad Malik wrote:> hmmmm, > > Thanks for the express response!!! > > FAQ #9 states: So change in the DNS->IP address relationship that occur > after the firewall has started have absolutely no effect on the firewall''s > ruleset. > > OK but that does not resolve/help a situation where the IP is dynamic via > DSL/cable! That means you have to keep a constant check on the remote site > IP''s whether or not they have changed as compared to a hostname where I > never have to worry about IP''s as they get resolved to their corressponding > IP. > > Unless i am missing something else.... plez hit me ;-). I see your point > about "trying to protect people from themselves." But for atleast VPN with > dynamic IP''s you cant afford to trace when will a IP change. >If you are going to use dynamic IP addresses for tunnel endpoints then in the tunnels file, use 0.0.0.0/0 for the remote gateway address. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hmmm again, I guess thats ok with what you suggested as it does not mater whether you have road warrior certificate or remote site certificate. As long as 500 and 51 are open and you have the right credentials in ipsec.conf (to start off with...). I guess your solution is workable! Thanks for your help Tom.... Keep up the great work!!! Cheers, shazad -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, September 23, 2002 5:58 PM To: Shazad Malik Cc: shorewall-users@shorewall.net Subject: Re: [Shorewall-users] IPSEC question? maybe a bug? anyone! Shazad Malik wrote:> hmmmm, > > Thanks for the express response!!! > > FAQ #9 states: So change in the DNS->IP address relationship that occur > after the firewall has started have absolutely no effect on the firewall''s > ruleset. > > OK but that does not resolve/help a situation where the IP is dynamic via > DSL/cable! That means you have to keep a constant check on the remotesite> IP''s whether or not they have changed as compared to a hostname where I > never have to worry about IP''s as they get resolved to theircorressponding> IP. > > Unless i am missing something else.... plez hit me ;-). I see your point > about "trying to protect people from themselves." But for atleast VPNwith> dynamic IP''s you cant afford to trace when will a IP change. >If you are going to use dynamic IP addresses for tunnel endpoints then in the tunnels file, use 0.0.0.0/0 for the remote gateway address. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Shazad Malik wrote:> Hmmm again, > > I guess thats ok with what you suggested as it does not mater whether you > have road warrior certificate or remote site certificate. As long as 500 > and 51 are open and you have the right credentials in ipsec.conf (to start > off with...). I guess your solution is workable!I think so -- if the remote site IP can be narrowed down to a subnet, you can always specify that subnet in the tunnels file rather than 0.0.0.0/0. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net