Hello all,
i have some troubles with pptpd and shorewall.
here is my config:
-----192.168.1.0-----|router|------192.168.2.0------|pptpd|-------internet--
----
| |
-----192.168.4.0--- |
| |another server|
-----192.168.5.0---
let me explain the trouble:
when assign the pptpd clients the ip range 192.168.2.100-150 then i can:
1. reach the "another server"
2. can not reach the networks behind the router (also i can not ping the
router)
the pptpd server can successful reach the networks?!
i did some tests and configured the clients for getting ip adresses from the
range:
192.168.3.100-150, i configured the router with an static route for
192.168.3.0 next hop
is the pptpd server.
now i can:
1. reach the "another server"
2. reach the the router and the networks behind.
but why?? and what can i do that it works with the 192.168.2.100-150 ip
range? masq them?
ipsec is also running on the box.. works.. but also i can not reach the
router and the
networks behind.
i know that this is not really a problem with shorewall, but maybe someone
on this list can
give my a hint.
best regards
Wolfgang
here are my config files (with the working 192.168.3.0 range) and
pptpd/ipsec,
i this config the ipsec daemon is currently not running.. so you can not see
it in ifconfig.
pptpd.conf
speed 115200
option /etc/ppp/options
localip 192.168.3.1
remoteip 192.168.3.100-150
listen xx.xx.xx.x
pidfile /var/run/pptpd.pid
options
ipparam PoPToP
lock
mtu 1490
mru 1490
multilink
auth
#+chap
#+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless
cerberus:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:C7:99:97:B1
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:15910 errors:0 dropped:0 overruns:0 frame:0
TX packets:3899 errors:0 dropped:0 overruns:0 carrier:0
collisions:6 txqueuelen:100
RX bytes:2536302 (2.4 Mb) TX bytes:510014 (498.0 Kb)
Interrupt:11 Base address:0x2000 Memory:40200000-40200038
eth1 Link encap:Ethernet HWaddr 00:10:5A:4A:ED:44
inet addr:xx.xx.xx.x Bcast:xx.xxx.xx.x Mask:xxx.xxx.xxx.xxx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1582 errors:0 dropped:0 overruns:0 frame:0
TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:100
RX bytes:186740 (182.3 Kb) TX bytes:386120 (377.0 Kb)
Interrupt:11 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on
your
# firewall system.
#
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 xx.xxx.xx.x noping,norfc1918
loc eth0 192.168.2.255
- ppp+ 192.168.3.255
gw ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
gw gw ipsec
#dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall 1.3 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE and IPIP tunnels.
#
# IPIP and GRE tunnels must be configured on the firewall/gateway
itself.
# IPSEC endpoints may be defined on the firewall/gateway or on an
# internal system.
#
#
# TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 gw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from
the
# /etc/shorewall/common[.def] file. For each source/destination pair,
the
# file is processed in order until a match is found ("all" will
match
# any client or server).
############################################################################
###
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc loc ACCEPT
loc gw ACCEPT
gw loc ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g.,
!192.168.1.0/24) to
# indicate that the rule matches all addresses except the
address/subnet
# given. Notice that no white space is permitted between "!" and
the
# address/subnet.
############################################################################
##
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT loc fw tcp 22
ACCEPT net fw tcp 1723
ACCEPT net fw 47 -
ACCEPT fw net 47 -
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT fw net tcp 21
ACCEPT fw loc tcp 123
ACCEPT fw loc udp 123
ACCEPT fw loc tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 - /etc/shorewall/hosts
#
#
#ZONE HOST(S) OPTIONS
loc eth0:192.168.1.0/24 routestopped
loc eth0:192.168.2.0/24 routestopped
loc eth0:192.168.4.0/24 routestopped
loc eth0:192.168.5.0/24 routestopped
loc ppp+:192.168.3.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
On Mon, 17 Jun 2002, webmaster@hackenschmiede.com wrote:> > here are my config files (with the working 192.168.3.0 range) and > pptpd/ipsec, > i this config the ipsec daemon is currently not running.. so you can not see > it in ifconfig. >We would be able to help a lot more if you showed us the configuration files that DON''T work. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
webmaster@hackenschmiede.com
2002-Jun-17 16:06 UTC
AW: [Shorewall-users] PPTPD and shorewall
hello tom,
the difference is only the network that the pptp clients get.
best regards
Wolfgang
here are the correct config files:
pptpd.conf
speed 115200
option /etc/ppp/options
localip 192.168.2.2
remoteip 192.168.2.100-150
listen xx.xx.xx.x
pidfile /var/run/pptpd.pid
options
ipparam PoPToP
lock
mtu 1490
mru 1490
multilink
auth
#+chap
#+chapms
+chapms-v2
ipcp-accept-local
ipcp-accept-remote
lcp-echo-failure 30
lcp-echo-interval 5
deflate 0
mppe-128
mppe-stateless
require-mppe
require-mppe-stateless
cerberus:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 00:08:C7:99:97:B1
inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1
RX packets:15910 errors:0 dropped:0 overruns:0 frame:0
TX packets:3899 errors:0 dropped:0 overruns:0 carrier:0
collisions:6 txqueuelen:100
RX bytes:2536302 (2.4 Mb) TX bytes:510014 (498.0 Kb)
Interrupt:11 Base address:0x2000 Memory:40200000-40200038
eth1 Link encap:Ethernet HWaddr 00:10:5A:4A:ED:44
inet addr:xx.xx.xx.x Bcast:xx.xxx.xx.x Mask:xxx.xxx.xxx.xxx
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1582 errors:0 dropped:0 overruns:0 frame:0
TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0
collisions:1 txqueuelen:100
RX bytes:186740 (182.3 Kb) TX bytes:386120 (377.0 Kb)
Interrupt:11 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
#
# Shorewall 1.3 -- Interfaces File
#
# /etc/shorewall/interfaces
#
# You must add an entry in this file for each network interface on
your
# firewall system.
#
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 xx.xxx.xx.x noping,norfc1918
loc eth0 192.168.2.255
- ppp+ 192.168.2.255
gw ipsec0
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
gw gw ipsec
#dmz DMZ Demilitarized zone
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
#
# Shorewall 1.3 - /etc/shorewall/tunnels
#
# This file defines IPSEC, GRE and IPIP tunnels.
#
# IPIP and GRE tunnels must be configured on the firewall/gateway
itself.
# IPSEC endpoints may be defined on the firewall/gateway or on an
# internal system.
#
#
# TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 gw
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 -- Policy File
#
# /etc/shorewall/policy
#
# This file determines what to do with a new connection request if we
# don''t get a match from the /etc/shorewall/rules file or from
the
# /etc/shorewall/common[.def] file. For each source/destination pair,
the
# file is processed in order until a match is found ("all" will
match
# any client or server).
############################################################################
###
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc loc ACCEPT
loc gw ACCEPT
gw loc ACCEPT
net all DROP info
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#
# Shorewall version 1.3 - Rules File
#
# /etc/shorewall/rules
#
# Rules in this file govern connection establishment. Requests and
# responses are automatically allowed using connection tracking.
#
# In most places where an IP address or subnet is allowed, you
# can preceed the address/subnet with "!" (e.g.,
!192.168.1.0/24) to
# indicate that the rule matches all addresses except the
address/subnet
# given. Notice that no white space is permitted between "!" and
the
# address/subnet.
############################################################################
##
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
ACCEPT loc fw tcp 22
ACCEPT net fw tcp 1723
ACCEPT net fw 47 -
ACCEPT fw net 47 -
ACCEPT fw net tcp 53
ACCEPT fw net udp 53
ACCEPT fw net tcp 21
ACCEPT fw loc tcp 123
ACCEPT fw loc udp 123
ACCEPT fw loc tcp 21
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
#
# Shorewall 1.3 - /etc/shorewall/hosts
#
#
#ZONE HOST(S) OPTIONS
loc eth0:192.168.1.0/24 routestopped
loc eth0:192.168.2.0/24 routestopped
loc eth0:192.168.4.0/24 routestopped
loc eth0:192.168.5.0/24 routestopped
loc ppp+:192.168.2.0/24
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
-----Ursprungliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net]
Gesendet: Montag, 17. Juni 2002 15:15
An: webmaster@hackenschmiede.com
Cc: shorewall-users@shorewall.net
Betreff: Re: [Shorewall-users] PPTPD and shorewall
On Mon, 17 Jun 2002, webmaster@hackenschmiede.com wrote:
>
> here are my config files (with the working 192.168.3.0 range) and
> pptpd/ipsec,
> i this config the ipsec daemon is currently not running.. so you can not
see> it in ifconfig.
>
We would be able to help a lot more if you showed us the configuration
files that DON''T work.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
On Mon, 17 Jun 2002, webmaster@hackenschmiede.com wrote:> hello tom, > > the difference is only the network that the pptp clients get. > > best regards > Wolfgang > > here are the correct config files: > > pptpd.conf > > speed 115200 > option /etc/ppp/options > localip 192.168.2.2 > remoteip 192.168.2.100-150 > listen xx.xx.xx.x > pidfile /var/run/pptpd.pid > > > options > > ipparam PoPToP > lock > mtu 1490 > mru 1490 > multilink > auth > #+chap > #+chapms > +chapms-v2 > ipcp-accept-local > ipcp-accept-remote > lcp-echo-failure 30 > lcp-echo-interval 5 > deflate 0 > mppe-128 > mppe-stateless > require-mppe > require-mppe-stateless >You are missing the proxyarp specification.> > cerberus:~ # ifconfig > eth0 Link encap:Ethernet HWaddr 00:08:C7:99:97:B1 > inet addr:192.168.2.2 Bcast:192.168.2.255 Mask:255.255.255.0 > UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 > RX packets:15910 errors:0 dropped:0 overruns:0 frame:0 > TX packets:3899 errors:0 dropped:0 overruns:0 carrier:0 > collisions:6 txqueuelen:100 > RX bytes:2536302 (2.4 Mb) TX bytes:510014 (498.0 Kb) > Interrupt:11 Base address:0x2000 Memory:40200000-40200038 > > eth1 Link encap:Ethernet HWaddr 00:10:5A:4A:ED:44 > inet addr:xx.xx.xx.x Bcast:xx.xxx.xx.x Mask:xxx.xxx.xxx.xxx > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:1582 errors:0 dropped:0 overruns:0 frame:0 > TX packets:2051 errors:0 dropped:0 overruns:0 carrier:0 > collisions:1 txqueuelen:100 > RX bytes:186740 (182.3 Kb) TX bytes:386120 (377.0 Kb) > Interrupt:11 Base address:0x2080 > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:0 errors:0 dropped:0 overruns:0 frame:0 > TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) > > > > > # > # Shorewall 1.3 -- Interfaces File > # > # /etc/shorewall/interfaces > # > # You must add an entry in this file for each network interface on > your > # firewall system. > # > ############################################################################ > ## > #ZONE INTERFACE BROADCAST OPTIONS > > net eth1 xx.xxx.xx.x noping,norfc1918 > loc eth0 192.168.2.255 > - ppp+ 192.168.2.255A BROADCAST address is bogus on a point-to-point interface.> gw ipsec0 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > # > # Shorewall 1.3 /etc/shorewall/zones > # > # This file determines your network zones. Columns are: > # > # ZONE Short name of the zone > # DISPLAY Display name of the zone > # COMMENTS Comments about the zone > # > #ZONE DISPLAY COMMENTS > net Net Internet > loc Local Local networks > gw gw ipsec > #dmz DMZ Demilitarized zone > > #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE > > > > # > # Shorewall 1.3 - /etc/shorewall/tunnels > # > # This file defines IPSEC, GRE and IPIP tunnels. > # > # IPIP and GRE tunnels must be configured on the firewall/gateway > itself. > # IPSEC endpoints may be defined on the firewall/gateway or on an > # internal system. > # > # > # TYPE ZONE GATEWAY GATEWAY ZONE > > ipsec net 0.0.0.0/0 gw > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > # > # Shorewall 1.3 -- Policy File > # > # /etc/shorewall/policy > # > # This file determines what to do with a new connection request if we > # don''t get a match from the /etc/shorewall/rules file or from the > # /etc/shorewall/common[.def] file. For each source/destination pair, > the > # file is processed in order until a match is found ("all" will match > # any client or server). > ############################################################################ > ### > #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST > loc loc ACCEPT > loc gw ACCEPT > gw loc ACCEPT > net all DROP info > all all REJECT info > #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE > > > > # > # Shorewall version 1.3 - Rules File > # > # /etc/shorewall/rules > # > # Rules in this file govern connection establishment. Requests and > # responses are automatically allowed using connection tracking. > # > # In most places where an IP address or subnet is allowed, you > # can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to > # indicate that the rule matches all addresses except the > address/subnet > # given. Notice that no white space is permitted between "!" and the > # address/subnet. > ############################################################################ > ## > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL > # PORT PORT(S) DEST > > ACCEPT loc fw tcp 22 > ACCEPT net fw tcp 1723 > ACCEPT net fw 47 - > ACCEPT fw net 47 - > ACCEPT fw net tcp 53 > ACCEPT fw net udp 53 > ACCEPT fw net tcp 21 > ACCEPT fw loc tcp 123 > ACCEPT fw loc udp 123 > ACCEPT fw loc tcp 21 > > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > # > # Shorewall 1.3 - /etc/shorewall/hosts > # > # > #ZONE HOST(S) OPTIONS > > loc eth0:192.168.1.0/24 routestopped > loc eth0:192.168.2.0/24 routestopped > loc eth0:192.168.4.0/24 routestopped > loc eth0:192.168.5.0/24 routestoppedYou will end up with a MUCH smaller ruleset if you replace the above with: loc eth0:0.0.0.0/0 routestopped> loc ppp+:192.168.2.0/24 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > >-Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
webmaster@hackenschmiede.com
2002-Jun-18 12:06 UTC
AW: AW: [Shorewall-users] PPTPD and shorewall
>> >> # >> # Shorewall 1.3 - /etc/shorewall/hosts >> # >> # >> #ZONE HOST(S) OPTIONS >> >> loc eth0:192.168.1.0/24 routestopped >> loc eth0:192.168.2.0/24 routestopped >> loc eth0:192.168.4.0/24 routestopped >> loc eth0:192.168.5.0/24 routestopped>You will end up with a MUCH smaller ruleset if you replace the above with:>loc eth0:0.0.0.0/0 routestopped>> loc ppp+:192.168.2.0/24 >> >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE >> >>thanx, but this would not solve my problem ;) is there no one with more networks (and routers) behind an ipsec or pptpd gateway?
On Tue, 18 Jun 2002, webmaster@hackenschmiede.com wrote:> > >> > >> # > >> # Shorewall 1.3 - /etc/shorewall/hosts > >> # > >> # > >> #ZONE HOST(S) OPTIONS > >> > >> loc eth0:192.168.1.0/24 routestopped > >> loc eth0:192.168.2.0/24 routestopped > >> loc eth0:192.168.4.0/24 routestopped > >> loc eth0:192.168.5.0/24 routestopped > > >You will end up with a MUCH smaller ruleset if you replace the above with: > > >loc eth0:0.0.0.0/0 routestopped > > >> loc ppp+:192.168.2.0/24 > >> > >> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE > >> > >> > > > thanx, but this would not solve my problem ;)I didn''t say that the above change would solve your problem -- I said it would create a much smaller rule set. I actually thought that the missing proxyarp spec might have helped though.> > is there no one with more networks (and routers) behind an ipsec or pptpd > gateway? >Is your end of the pptp/ipsec tunnel the default gateway for the remote clients? If not, do these clients add additional routes through the tunnel to your other subnets? If they don''t do one or the other then the remote clients have absolutely no clue how to route packets to those other subnets. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
webmaster@hackenschmiede.com
2002-Jun-18 15:01 UTC
AW: AW: AW: [Shorewall-users] PPTPD and shorewall
>> >> is there no one with more networks (and routers) behind an ipsec or pptpd >> gateway? >>>Is your end of the pptp/ipsec tunnel the default gateway for the remote >clients? If not, do these clients add additional routes through the tunnel >to your other subnets? If they don''t do one or the other then the remote >clients have absolutely no clue how to route packets to those other >subnets.the server is the default gateway for the remote clients, and the server can reach all other subnets, he has static route for the subnets that point to the router. the default gateway on the server points to the internet router. i have added this into "masq": eth0 192.168.2.0/24 192.168.2.2 and now my pptp clients can reach the other networks. but not clients with ipsec? i think i understand something completely wrong ;( here is my actual config: ---192.168.1.0------|router|-------|shorewall|-------internet------pptpd and ipsec clients | 192.168.2.0 | ---192.168.4.0---------- | ---192.168.5.0---------- | ---some wan links------- best regards
On Tue, 18 Jun 2002, webmaster@hackenschmiede.com wrote:> the default gateway on the server points to the internet router. > > i have added this into "masq": > > eth0 192.168.2.0/24 192.168.2.2 > > > and now my pptp clients can reach the other networks. > > but not clients with ipsec? > > i think i understand something completely wrong ;( >When we were running IPSEC, we were never able to access more than one subnet on the other end either (although we didn''t try real hard). I would post on the FreeS/Wan list since I don''t think this is a Shorewall issue. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
webmaster@hackenschmiede.com
2002-Jun-18 15:35 UTC
AW: AW: AW: AW: [Shorewall-users] PPTPD and shorewall
>> the default gateway on the server points to the internet router. >> >> i have added this into "masq": >> >> eth0 192.168.2.0/24 192.168.2.2 >> >> >> and now my pptp clients can reach the other networks. >> >> but not clients with ipsec? >> >> i think i understand something completely wrong ;( >>>When we were running IPSEC, we were never able to access more than one >subnet on the other end either (although we didn''t try real hard). I would >post on the FreeS/Wan list since I don''t think this is a Shorewall issue.ok.. thanx for you help tom. and btw.. shorewall is great! should i post my results to the list when i get my config work? best regards
On Tue, 18 Jun 2002, webmaster@hackenschmiede.com wrote:> >> the default gateway on the server points to the internet router. > >> > >> i have added this into "masq": > >> > >> eth0 192.168.2.0/24 192.168.2.2 > >> > >> > >> and now my pptp clients can reach the other networks. > >> > >> but not clients with ipsec? > >> > >> i think i understand something completely wrong ;( > >> > > >When we were running IPSEC, we were never able to access more than one > >subnet on the other end either (although we didn''t try real hard). I would > >post on the FreeS/Wan list since I don''t think this is a Shorewall issue. > > ok.. thanx for you help tom. > > and btw.. shorewall is great! > > should i post my results to the list when i get my config work? >Yes -- please do. Thanks, -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net