Jerry Vonau
2003-Jun-07 13:39 UTC
[Shorewall-users] can''t connect to private lan on other side of tunnel from loc zone
Hi All: Here is a strange one... I have a vpn set-up between a couple of locations, It''s using a ppp interface. I''m using Shorewall-1.4.4b and an out of the box 2.4.20-18.8 kernel from redhat. I''m able to ping/connect from the firewall itself to anything on the other end of the tunnel... I''m unable to make a connection to 2 of the remote lans 10.2.0.0/24 and 10.1.14.0/24 from a machine in the loc zone, while I''m able to connect to a machine that is only accessible through the 10.1.14.0/24 lan. There is nothing showing up in /var/log/messages... Here is the routing: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 139.142.212.5 0.0.0.0 255.255.255.255 UH 0 0 0 eth2 10.2.0.150 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 10.1.14.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 204.225.120.230 10.1.14.1 255.255.255.255 UGH 0 0 0 ppp0 139.142.212.0 0.0.0.0 255.255.255.240 U 0 0 0 eth0 10.1.14.0 10.2.0.1 255.255.255.0 UG 0 0 0 ppp0 10.2.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 10.3.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ppp0 10.5.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 139.142.212.14 0.0.0.0 UG 0 0 0 eth0 The interfaces file: #ZONE INTERFACE BROADCAST OPTIONS net eth0 139.142.212.15 norfc1918,tcpflags,blacklist loc eth1 10.255.255.255 dhcp dmz eth2 detect - ppp+ - - #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE hosts: sarg ppp+:10.2.0.0/24 jer ppp+:10.3.0.0/24 nff1 ppp+:10.1.14.0/24 nff2 ppp+:$NFF2 NFF2 is defined in the params file, this is the only connection that does work through the tunnel from the loc zone.. zones: #ZONE DISPLAY COMMENTS net Net Internet sarg SARG Sarg''s Lan jer jerry jerry''s house nff1 ship nff in shipping nff2 nffftp nff''s ftp loc Local Local networks dmz DMZ Demilitarized zone #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE policy: #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST fw net ACCEPT loc dmz ACCEPT loc jer ACCEPT info loc sarg ACCEPT info loc nff1 ACCEPT info loc net ACCEPT nff1 loc ACCEPT info sarg loc ACCEPT info jer loc ACCEPT info loc loc ACCEPT info dmz net ACCEPT info net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE attached is a dump of shorewall status: This is the last piece that I need to get working. Everything else is working just great. Just to recap, from the firewall, though the tunnel, everything works. From the loc zone, just one of them works, strange that the one that works uses public ip addresses, but is only accessible from the 10.1.14.0 network, while the private ip addresses on the remote lan don''t. Not to sure where to look for this one... What have I overlooked?? If I didn''t summit a file that is needed to troubleshoot this, just tell me... Thanks in Advance Jerry Vonau -------------- next part -------------- A non-text attachment was scrubbed... Name: shore.dmp Type: application/octet-stream Size: 50866 bytes Desc: not available Url : http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030607/9299ab92/shore-0001.obj