cmisip
2003-Aug-30 12:43 UTC
[Shorewall-users] Lost ability to ping outside of lan after subnet to host vpn -trouble with roadwarrior
In my efforts to get subnet to host vpn running, I somehow lost the ability to ping an external site such as www.google.com. I can ping local hosts without problems. DNS resolves the urls to the internet fine and even pinging the actual ip of internet sites does not work. Everything else works though. I can surf from the laptop with vpn encryption. I looked at the faq regarding ping and added the rules for icmp as well as the icmpdef file but still no ping. I am trying to configure a roadwarrior vpn now and shorewall or freeswan complains that the remote network is unreachable when it tries to add the remote host to the routing table. Some communication is occurring between the local subnet and the roadwarrior though since they are attempting to negotiate the tunnel (so they can see each other). However, they cannot ping each other. I believe If i can get to the bottom of this ping issue, I can get this to work. My config is a three interface shorewall router with eth0 to cable modem, eth1 to wired lan and eth2 to wireless lan. /etc/shorewall/policy: loc net ACCEPT net all DROP info fw net ACCEPT loc fw ACCEPT fw loc ACCEPT fw vpn ACCEPT vpn fw ACCEPT vpn loc ACCEPT loc vpn ACCEPT vpn net ACCEPT fw vpn1 ACCEPT vpn1 fw ACCEPT vpn1 loc ACCEPT loc vpn1 ACCEPT vpn1 net ACCEPT all all REJECT info /etc/shorewall/tunnels: ipsec wln 192.168.0.0/24 vpn ipsec net 0.0.0.0/0 vpn1 /etc/shorewall/interfaces: net eth0 detect dhcp loc eth1 192.168.1.255 wln eth2 192.168.0.255 vpn ipsec0 vpn1 ipsec1 /etc/shorewall/rules: ACCEPT net fw icmp 8 ACCEPT fw net icmp 8 ACCEPT loc net icmp 8 ACCEPT net loc icmp 8 Thanks for any help you can give me.
cmisip
2003-Sep-01 16:25 UTC
[Shorewall-users] Lost ability to ping outside of lan after subnet to host vpn -trouble with roadwarrior
Well I got it figured out. The updown script needed to be modified to remove the parameter for nexthop. On Sat, 2003-08-30 at 14:43, cmisip wrote:> In my efforts to get subnet to host vpn running, I somehow lost the > ability to ping an external site such as www.google.com. I can ping > local hosts without problems. DNS resolves the urls to the internet > fine and even pinging the actual ip of internet sites does not work. > Everything else works though. I can surf from the laptop with vpn > encryption. I looked at the faq regarding ping and added the rules for > icmp as well as the icmpdef file but still no ping. I am trying to > configure a roadwarrior vpn now and shorewall or freeswan complains that > the remote network is unreachable when it tries to add the remote host > to the routing table. Some communication is occurring between the local > subnet and the roadwarrior though since they are attempting to negotiate > the tunnel (so they can see each other). However, they cannot ping each > other. I believe If i can get to the bottom of this ping issue, I can > get this to work. > > My config is a three interface shorewall router with eth0 to cable > modem, eth1 to wired lan and eth2 to wireless lan. > > /etc/shorewall/policy: > > loc net ACCEPT > net all DROP info > fw net ACCEPT > loc fw ACCEPT > fw loc ACCEPT > fw vpn ACCEPT > vpn fw ACCEPT > vpn loc ACCEPT > loc vpn ACCEPT > vpn net ACCEPT > fw vpn1 ACCEPT > vpn1 fw ACCEPT > vpn1 loc ACCEPT > loc vpn1 ACCEPT > vpn1 net ACCEPT > all all REJECT info > > /etc/shorewall/tunnels: > ipsec wln 192.168.0.0/24 vpn > ipsec net 0.0.0.0/0 vpn1 > > /etc/shorewall/interfaces: > > net eth0 detect dhcp > loc eth1 192.168.1.255 > wln eth2 192.168.0.255 > vpn ipsec0 > vpn1 ipsec1 > > /etc/shorewall/rules: > ACCEPT net fw icmp 8 > ACCEPT fw net icmp 8 > ACCEPT loc net icmp 8 > ACCEPT net loc icmp 8 > > Thanks for any help you can give me. > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: http://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm