Hello, After I''ve switched from 2.1.6 to 2.1.11 I could not run Xserver (TCP 6000) over ipsec anymore, so I''ve reinstalled 2.1.6. Is it a bug or configuration issue? The error is: Shorewall:net2all:DROP: IN=eth0 OUT=eth1 MAC=00:50:da:2d:c1:6c:00:0c:31:f6:c4:8d:08:00 SRC=192.168.123.150 DST=192.168.1.2 LEN=48 TOS=00 PREC=0x00 TTL=62 ID=36507 CE PROTO=TCP SPT=35069 DPT=6000 SEQ=4134459834 ACK=0 WINDOW=49640 SYN URGP=0 It seems that it is going to net zone bypassing vpn. I have no entries in ipsec, just in hosts: vpn eth0:192.168.123.0/24 ipsec vpn eth0:192.168.0.0/24 ipsec Zones vpn VPN Remote networks net Net Internet loc Local Local networks Tunnels ipsec net <IP1> ipsec net <IP2> Changes to ipsec / hosts / tunnels and creating action.AllowX did not help. I''m running SuSe 9.1 version 2.6.5-7.108-default. 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,NOTRAILERS,UP> mtu 1500 qdisc htb qlen 1000 link/ether 00:50:da:2d:c1:6c brd ff:ff:ff:ff:ff:ff inet 67.49.71.7/20 brd 255.255.255.255 scope global eth0 inet6 fe80::250:daff:fe2d:c16c/64 scope link valid_lft forever preferred_lft forever 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:50:da:2d:c2:46 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1 inet6 fe80::250:daff:fe2d:c246/64 scope link valid_lft forever preferred_lft forever 4: sit0: <NOARP> mtu 1480 qdisc noqueue link/sit 0.0.0.0 brd 0.0.0.0 Thank you in advance, Alex.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex wrote:> Hello, > > After I''ve switched from 2.1.6 to 2.1.11 I could not run Xserver (TCP6000)> over ipsec anymore, so I''ve reinstalled 2.1.6. > Is it a bug or configuration issue? >Without the output of "shorewall status" and a copy of your /etc/shorewall/config directory, I can''t tell you. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdR83O/MAbZfjDLIRAs4fAJ4sOWMt3zP5QrojBnZ/sTLl5/ybgACgwVjd QL+NI9hel8h2KyJqjquki9w=EE5k -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex wrote:> Hello Tom, > > Here is an output from 2.1.6.Interesting but not useful -- I need to see the netfilter configuration that *isn''t* working, not the one that is working.> There is no directory /etc/shorewall/config.I of course meant /etc/shorewall> Telnet, ftp, and ping are working fine to ipsec''d hosts in 2.1.11. > > Also, is there some reason why I cannot trace route to an ipsec''d host? > It gives me the following, where line 2 is repeated over and over. > > 1 <1 ms <1 ms <1 ms 192.168.1.1 > 2 * * * Request timed out.Works fine here... Do you have SAs between the ipsec hosts and the Shorewall system? You need them. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBdUEfO/MAbZfjDLIRAlhUAKC02PnDlqYIsqC+1985gN3yC0o4QQCdEOnH MZTmI0J78SjoW9W6u2wKems=+uBx -----END PGP SIGNATURE-----