Cant figure out why I am getting this I tryed vpn to vpn ACCEPT in policy for one thing, but that did not sound right Mike May 16 08:59:09 gate kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0 SRC=65.203.186.150 DST=66.224.62.112 LEN=168 TOS=0x00 PREC=0x00 TTL=48 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=148 [root@gate root]# [root@gate root]# shorewall version 2.0.2a [root@gate root]# uname -r 2.4.22-1.2115.nptl [root@gate root]# #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routestopped,norfc1918,routefilter loc eth1 detect dhcp vpn ipsec0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #INTERFACE SUBNET ADDRESS eth0 eth1 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT vpn loc ACCEPT loc vpn ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. fw net ACCEPT # THE FOLLOWING POLICY MUST BE LAST vpn vpn ACCEPT - net all DROP info all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE # TYPE ZONE GATEWAY GATEWAY # ZONE ipsec vpn 65.203.186.150 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #ZONE DISPLAY COMMENTS net Net Internet loc Local Local Networks vpn Vpn ipsec #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Sorry, for answering my own post.
My Ip is 66.224.62.111 I don''t know why I am getting tunnel replies
to
the 66.224.62.112
----- Original Message -----
From: "Mike Lander" <landers@lanlinecomputers.com>
To: <shorewall-users@lists.shorewall.net>
Sent: Sunday, May 16, 2004 4:09 PM
Subject: [Shorewall-users] ipsec
> Cant figure out why I am getting this I tryed vpn to vpn ACCEPT in policy
> for one thing, but that did not sound right
> Mike
>
> May 16 08:59:09 gate kernel: Shorewall:FORWARD:REJECT:IN=eth0 OUT=eth0
> SRC=65.203.186.150 DST=66.224.62.112 LEN=168 TOS=0x00 PREC=0x00 TTL=48
ID=0> DF PROTO=UDP SPT=500 DPT=500 LEN=148
>
> [root@gate root]#
> [root@gate root]# shorewall version
> 2.0.2a
> [root@gate root]# uname -r
> 2.4.22-1.2115.nptl
> [root@gate root]#
>
>
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth0 detect routestopped,norfc1918,routefilter
> loc eth1 detect dhcp
> vpn ipsec0
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> #INTERFACE SUBNET ADDRESS
> eth0 eth1
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
> #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
> loc net ACCEPT
> vpn loc ACCEPT
> loc vpn ACCEPT
> # If you want open access to the Internet from your Firewall
> # remove the comment from the following line.
> fw net ACCEPT
> # THE FOLLOWING POLICY MUST BE LAST
> vpn vpn ACCEPT -
> net all DROP info
> all all REJECT info
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
> # TYPE ZONE GATEWAY GATEWAY
> # ZONE
> ipsec vpn 65.203.186.150
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> #ZONE DISPLAY COMMENTS
> net Net Internet
> loc Local Local Networks
> vpn Vpn ipsec
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
Mike Lander wrote:> Sorry, for answering my own post. > My Ip is 66.224.62.111 I don''t know why I am getting tunnel replies to > the 66.224.62.112I''m guessing that the tunnel configuration at 65.203.186.150 is incorrect. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom wrote> I''m guessing that the tunnel configuration at 65.203.186.150 is incorrect.Noi, It is correct>I have two tunnels that are authorized at 65.203.186.150 (right side ipsec.conf) Using Preshared Secret one is left side 66.224.62.111 and the other left 66.224.62.112. I tried to connect with 66.224.62.112 being the left side of ipsec earlier in the day with the same shorewall box on my side by changing eth0 ip. So I think the trouble is in Utah or the arp cache on their end is still caching my earlier connection. I have connected to my own right side for a test, so I know ipsec and shorewall are working properly. So I will wait until morning and contact the mothership in Utah. My real trouble is this:-------------------------------------------- "tw" #26: discarding duplicate packet; already STATE_MAIN_I3 May 16 09:25:46 gate pluto[7995]: "tw" #26: ignoring informational payload, type PAYLOAD_MALFORMED May 16 09:25:46 gate pluto[7995]: "tw" #26: discarding duplicate packet; already STATE_MAIN_I3 May 16 09:26:26 gate pluto[7995]: "tw" #26: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message May 16 09:26:26 gate pluto[7995]: "tw" #26: starting keying attempt 27 of an unlimited number May 16 09:26:26 gate pluto[7995]: "tw" #27: initiating Main Mode to replace #26 May 16 09:26:26 gate pluto[7995]: "tw" #27: ignoring informational payload, type PAYLOAD_MALFORMED May 16 09:26:36 gate pluto[7995]: "tw" #27: ignoring informational payload, type PAYLOAD_MALFORMED May 16 09:26:36 gate pluto[7995]: "tw" #27: discarding duplicate packet; already STATE_MAIN_I3 Thanks Tom Mike