Martin Chan
2004-Feb-05 11:53 UTC
Freeswan running on gateway + Contivity VPN client in LAN
Hi all, I have been using Shorewall + Freeswan in three offices for more than one year, so far so good. Thanks Tom :-) Now, we need to use Contivity VPN client to connect to our client''s network. I don''t know why it mark some packet as badpkt. I added the following lines to /etc/shorewall/rules DNAT net:$clientvpngw loc:192.168.168.46 50 - - $NET_IP DNAT net:$clientvpngw loc:192.168.168.46 51 - - $NET_IP DNAT net:$clientvpngw loc:192.168.168.46 udp 500,9610 - $NET_IP #It seems that they use udp 9610 instead of 500 DNAT net:$clientvpngw loc:192.168.168.46 udp 1024:2000 9610 $NET_IP ACCEPT loc:192.168.168.46 net:$clientvpngw all - - *The $NET_IP is different from the IP we use in Freeswan /var/log/message Feb 5 19:20:31 gw kernel: Shorewall:badpkt:DROP:IN=eth0 OUT=eth1 SRC=$clientvpngw DST=192.168.168.46 LEN=104 TOS=0x00 PREC=0x00 TTL=119 ID=12968 PROTO=UDP SPT=9610 DPT=1409 LEN=84 Feb 5 19:20:34 gw kernel: Shorewall:badpkt:DROP:IN=eth0 OUT=eth1 SRC=$clientvpngw DST=192.168.168.46 LEN=104 TOS=0x00 PREC=0x00 TTL=119 ID=12976 PROTO=UDP SPT=9610 DPT=1409 LEN=84 Feb 5 19:20:40 gw kernel: Shorewall:badpkt:DROP:IN=eth0 OUT=eth1 SRC=$clientvpngw DST=192.168.168.46 LEN=104 TOS=0x00 PREC=0x00 TTL=119 ID=12987 PROTO=UDP SPT=9610 DPT=1409 LEN=84 Feb 5 19:20:41 gw kernel: Shorewall:badpkt:DROP:IN=eth0 OUT=eth1 SRC=$clientvpngw DST=192.168.168.46 LEN=104 TOS=0x00 PREC=0x00 TTL=119 ID=12991 PROTO=UDP SPT=9610 DPT=1409 LEN=84 I haven''t try add ipsecnat to /etc/shorewall/tunnels because I''m not sure how can shorewall seperate ipsec and ipsecnat packets. Thanks, Martin Chan
Tom Eastep
2004-Feb-05 15:11 UTC
Re: Freeswan running on gateway + Contivity VPN client in LAN
On Thursday 05 February 2004 03:53 am, Martin Chan wrote:> Hi all, > > I have been using Shorewall + Freeswan in three offices for more than > one year, > so far so good. Thanks Tom :-) > > Now, we need to use Contivity VPN client to connect to our client''s > network. I don''t know why it mark some packet as badpkt.I don''t know why you are using ''dropunclean'' -- the documentation clearly states the following advice: # Don''t use dropunclean -- It''s broken in my opinion # Use logunclean only when you are trying to debug a problem Recent versions of Shorewall give you a warning if you turn on either ''dropunclean'' or ''logunclean''. Furthermore, there is no support for them at all in Shorewall 2.0. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Martin Chan
2004-Feb-06 02:08 UTC
Re: Freeswan running on gateway + Contivity VPN client in LAN
It work very well, thanks. Tom Eastep wrote:>On Thursday 05 February 2004 03:53 am, Martin Chan wrote: > > >>Hi all, >> >>I have been using Shorewall + Freeswan in three offices for more than >>one year, >>so far so good. Thanks Tom :-) >> >>Now, we need to use Contivity VPN client to connect to our client''s >>network. I don''t know why it mark some packet as badpkt. >> >> > >I don''t know why you are using ''dropunclean'' -- the documentation clearly >states the following advice: > ># Don''t use dropunclean -- It''s broken in my opinion ># Use logunclean only when you are trying to debug a problem > >Recent versions of Shorewall give you a warning if you turn on either >''dropunclean'' or ''logunclean''. Furthermore, there is no support for them at >all in Shorewall 2.0. > >-Tom > >