Shorewall users - Nov 2003 - freeswan/squid with shorewall

Hello -

I have a weird dilemma where I have an freeswan (VPN IPSEC) connection 
between two site.

Here is the picture:

LAN * [Site A] * Public <--  INTERNET --> Public * [ Site B] * LAN

SITE A:
LAN: 192.168.100.0/24

SITE B:
LAN: 192.168.200.0/24

These are the rules for SITE (A) and SITE (B) respectively where site B has 
!192.168.200.1
REDIRECT        loc     3128    tcp     www     -       !192.168.100.1

Now, I try to access my web cam (192.168.200.197) on site (B) from Site (A)
and my connections are getting dropped in my log file.

I can access all my share drives, I can ping and do everything else.  BUT I
cannot access via my http such as my web cam (site B) from my web browser
from site A.  Any ideas anyone? I would appreciate it...

/etc/shorewall/interfaces
net      eth0     detect     tcpflags,blacklist,norfc1918,routefilter
loc      eth1           192.168.100.255
vpn      ipsec0

/etc/shorewall/masq [I''m not using /etc/shorewall/hosts file]
ipsec0:192.168.200.0/24 192.168.100.0/24
$NET_IF                 $LOC_IF

log file error: [ I can see that SRC needs to be from my internal network 
but I thought the masq entry for ipsec0 will resolv it as above but it shows 
my external IP address]

Nov 23 23:57:54 ny Shorewall:all2all:REJECT: IN= OUT=ipsec0 MAC= 
SRC=65.83.202.115 DST=192.168.200.197 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF 
PROTO=TCP SPT=36504 DPT=80 SEQ=3803015150 ACK=0 WINDOW=32440 SYN URGP=0

Appreciate the help!
hallian

_________________________________________________________________
Groove on the latest from the hot new rock groups!  Get downloads, videos, 
and more here.  http://special.msn.com/entertainment/wiredformusic.armx

On Sun, 2003-11-23 at 22:08, hallian hallian wrote:
> Hello -
> 
> I have a weird dilemma where I have an freeswan (VPN IPSEC) connection 
> between two site.
> 
> Here is the picture:
> 
> LAN * [Site A] * Public <--  INTERNET --> Public * [ Site B] * LAN
> 
> SITE A:
> LAN: 192.168.100.0/24
> 
> SITE B:
> LAN: 192.168.200.0/24
> 
> These are the rules for SITE (A) and SITE (B) respectively where site B has
> !192.168.200.1
> REDIRECT        loc     3128    tcp     www     -       !192.168.100.1
> 
> Now, I try to access my web cam (192.168.200.197) on site (B) from Site (A)
> and my connections are getting dropped in my log file.
> 
> I can access all my share drives, I can ping and do everything else.  BUT I
> cannot access via my http such as my web cam (site B) from my web browser
> from site A.  Any ideas anyone? I would appreciate it...
> 
> /etc/shorewall/interfaces
> net      eth0     detect     tcpflags,blacklist,norfc1918,routefilter
> loc      eth1           192.168.100.255
> vpn      ipsec0
> 
> /etc/shorewall/masq [I''m not using /etc/shorewall/hosts file]
> ipsec0:192.168.200.0/24 192.168.100.0/24
> $NET_IF                 $LOC_IF
> 
> log file error: [ I can see that SRC needs to be from my internal network 
> but I thought the masq entry for ipsec0 will resolv it as above but it
shows
> my external IP address]
> 
> Nov 23 23:57:54 ny Shorewall:all2all:REJECT: IN= OUT=ipsec0 MAC= 
> SRC=65.83.202.115 DST=192.168.200.197 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0
DF
> PROTO=TCP SPT=36504 DPT=80 SEQ=3803015150 ACK=0 WINDOW=32440 SYN URGP=0
> 
It is your Squid proxy that is trying to connect to the webcam (note
that there is no "IN=" device -- see FAQ 17).

I would change my REDIRECT rule to be:

REDIRECT loc 3128 tcp www - !192.168.100.0/24,192.168.200.0/24

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net