Suren
2002-Oct-25 03:22 UTC
[Shorewall-users] VPN - IPSEC Config with "two-Interface" firewall
Hi, I have the shorewall running in the server machine (192.168.0.1) which connects to net with eth0 (cable modem). I have the client machine (192.168.0.2) which has the ipsec installed.>From the client machine, I am trying to connect to a vpn in thenet. What are the stting I need to? It is especially importan to get the "Hearbeat (ip 254)" to the client machine from the vpn. I tried: DNAT net loc:192.168.0.2 254 in rules file, but it must be not enough. This is what I see in the client machine log: kernel: IN=ipsec0 OUT= MAC=00:50:<etc> SRC=a.b.c.d DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=237 ID=20054 PROTO=254 Thanks.
Tom Eastep
2002-Oct-25 13:36 UTC
[Shorewall-users] VPN - IPSEC Config with "two-Interface" firewall
Suren wrote:> Hi, > > I have the shorewall running in the server machine (192.168.0.1) which > connects to net with eth0 (cable modem). I have the client machine > (192.168.0.2) which has the ipsec installed. > > From the client machine, I am trying to connect to a vpn in the > net. What are the stting I need to? It is especially importan to get > the "Hearbeat (ip 254)" to the client machine from the vpn. > > I tried: > DNAT net loc:192.168.0.2 254 > in rules file, but it must be not enough. This is what I see in the > client machine log: > kernel: IN=ipsec0 OUT= MAC=00:50:<etc> > SRC=a.b.c.d DST=192.168.0.2 LEN=56 TOS=0x00 PREC=0x00 TTL=237 > ID=20054 PROTO=254 >The IN interface for this packet is ipsec0 -- the source column for your rule should therefore be the zone that you associate with the remote subnet, not ''net''. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net