Shorewall devel - Oct 2012 - Shorewall 4.5.8 IPSEC in a multi-ISP configuration

Hi,

I'm using IPSEC in a multi-ISP configuration,
lsm 0.131, Kernel 2.6.32, ipsec-tools 0.8.0

This worked fine with Shorewall/Shorewall-Lite 4.5.7.

After updating Shorewall to 4.5.8 the routing of ESP packets doesn't work.

If I change the Providers.pm file and add connmark => "! --mark 
0/$mask" like before in Shorewall 4.5.7 than everything works fine.

add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts =>
"--restore-mark --mask $mask", connmark => "! --mark
0/$mask" for qw/PREROUTING OUTPUT/;

Thank you very much for your help and time.

Kind regards

Edy Corak

-- 

Edy Corak
Löns Hotel
Hermann-Löns-Str. 29
30827 Garbsen, Germany

Tel.: +49 5131 49880
Fax.: +49 5131 49888

E-Mail: edy@loenshotel.de
Internet: http://www.loenshotel.de

--

------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

On 10/8/12 12:55 PM, "Edy Corak" <edy@loenshotel.de> wrote:
>Hi,
>
>I''m using IPSEC in a multi-ISP configuration,
>lsm 0.131, Kernel 2.6.32, ipsec-tools 0.8.0
>
>This worked fine with Shorewall/Shorewall-Lite 4.5.7.
>
>After updating Shorewall to 4.5.8 the routing of ESP packets
doesn''t work.
>
>If I change the Providers.pm file and add connmark => "! --mark
>0/$mask" like before in Shorewall 4.5.7 than everything works fine.
>
>add_ijump $mangle_table->{$_} , j => ''CONNMARK'',
targetopts =>
>"--restore-mark --mask $mask", connmark => "! --mark
>0/$mask" for qw/PREROUTING OUTPUT/;
>
>Thank you very much for your help and time.
What is your setting of USE_DEFAULT_RT?

Thanks,
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.





------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

Am 09.10.2012 01:21, schrieb Tom Eastep:
> On 10/8/12 12:55 PM, "Edy Corak" <edy@loenshotel.de> wrote:
> 
>> >Hi,
>> >
>> >I''m using IPSEC in a multi-ISP configuration,
>> >lsm 0.131, Kernel 2.6.32, ipsec-tools 0.8.0
>> >
>> >This worked fine with Shorewall/Shorewall-Lite 4.5.7.
>> >
>> >After updating Shorewall to 4.5.8 the routing of ESP packets
doesn''t work.
>> >
>> >If I change the Providers.pm file and add connmark => "!
--mark
>> >0/$mask" like before in Shorewall 4.5.7 than everything works
fine.
>> >
>> >add_ijump $mangle_table->{$_} , j =>
''CONNMARK'', targetopts =>
>> >"--restore-mark --mask $mask", connmark => "!
--mark
>> >0/$mask" for qw/PREROUTING OUTPUT/;
>> >
>> >Thank you very much for your help and time.
> What is your setting of USE_DEFAULT_RT?
> 
> Thanks,
> -Tom
> You do not need a parachute to skydive. You only need a parachute to
> skydive twice.
USE_DEFAULT_RT=No

Thanks

Edy



------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev

On 10/08/2012 09:22 PM, Edy Corak wrote:
> Am 09.10.2012 01:21, schrieb Tom Eastep:
>> On 10/8/12 12:55 PM, "Edy Corak" <edy@loenshotel.de>
wrote:
>>
>>>> Hi,
>>>>
>>>> I''m using IPSEC in a multi-ISP configuration,
>>>> lsm 0.131, Kernel 2.6.32, ipsec-tools 0.8.0
>>>>
>>>> This worked fine with Shorewall/Shorewall-Lite 4.5.7.
>>>>
>>>> After updating Shorewall to 4.5.8 the routing of ESP packets
doesn''t work.
>>>>
>>>> If I change the Providers.pm file and add connmark =>
"! --mark
>>>> 0/$mask" like before in Shorewall 4.5.7 than everything
works fine.
>>>>
>>>> add_ijump $mangle_table->{$_} , j =>
''CONNMARK'', targetopts =>
>>>> "--restore-mark --mask $mask", connmark => "!
--mark
>>>> 0/$mask" for qw/PREROUTING OUTPUT/;
>>>>
>>>> Thank you very much for your help and time.
>> What is your setting of USE_DEFAULT_RT?
>>
>> Thanks,
>> -Tom
>> You do not need a parachute to skydive. You only need a parachute to
>> skydive twice.
>
> USE_DEFAULT_RT=No
>
Okay -- I will want to see the output of ''shorewall dump''; you
can send
it privately if you like.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Don''t let slow site performance ruin your business. Deploy New Relic
APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev