Hello everyone, I''m not sure whether to place my question here or in the racoon mailing list or even in that of iptables. I have created an ipsec connection with racoon in tunnel mode to another gateway to connect one subnet on each side to each other. This works fine. Only the ipsec gateway itself can''t send packages to the opposite subnet. Shorewall is configured according to: http://www.shorewall.net/IPSEC-2.6.html Is there a second "roadwarrior" tunnel to be defined just only for the gateway? I have patched the kernel linux 2.8.1 and iptables-1.2.11 with the "policy match" patch, but the "IPSEC-Netfilter" patches (mentioned in: http://www.shorewall.net/IPSEC.htm) where rejected by patch-o-matic-ng from 2004/09/21. How are they applied? Kay
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kay Obermueller wrote:> Hello everyone, > I''m not sure whether to place my question here or in the racoon mailing > list or even in that of iptables. > I have created an ipsec connection with racoon in tunnel mode to another > gateway to connect one subnet on each side to each other. This works > fine. Only the ipsec gateway itself can''t send packages to the opposite > subnet. > Shorewall is configured according to: > > http://www.shorewall.net/IPSEC-2.6.html > > Is there a second "roadwarrior" tunnel to be defined just only for the > gateway?For complete connectivity in this situation, it is my understanding that 6 policies are required in /etc/racoon/setkey: subnet A -> subnet B subnet B -> subnet A gateway A -> subnet B gateway A -> gateway B gateway B -> subnet A gateway B -> gateway A> I have patched the kernel linux 2.8.1 and iptables-1.2.11 with the > "policy match" patch, but the "IPSEC-Netfilter" patches (mentioned in: > http://www.shorewall.net/IPSEC.htm) where rejected by patch-o-matic-ng > from 2004/09/21. How are they applied?Patch-O-matic and how to use it are off-topic for this list but I suspect that your kernel is too old to work with the IPSEC-Netfilter patches. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFBXJZTO/MAbZfjDLIRAqjIAJsHryUMLJlVD03bONcbxnZKvvNpCACeIqQC qzxrTS53BVN63DQFWgqpmQY=CYAp -----END PGP SIGNATURE-----
Tom Eastep wrote:>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Kay Obermueller wrote: > > >>Hello everyone, >>I''m not sure whether to place my question here or in the racoon mailing >>list or even in that of iptables. >>I have created an ipsec connection with racoon in tunnel mode to another >>gateway to connect one subnet on each side to each other. This works >>fine. Only the ipsec gateway itself can''t send packages to the opposite >>subnet. >>Shorewall is configured according to: >> >>http://www.shorewall.net/IPSEC-2.6.html >> >>Is there a second "roadwarrior" tunnel to be defined just only for the >>gateway? >> >> > >For complete connectivity in this situation, it is my understanding that >6 policies are required in /etc/racoon/setkey: > >subnet A -> subnet B >subnet B -> subnet A >gateway A -> subnet B >gateway A -> gateway B >gateway B -> subnet A >gateway B -> gateway A > > > >>I have patched the kernel linux 2.8.1 and iptables-1.2.11 with the >>"policy match" patch, but the "IPSEC-Netfilter" patches (mentioned in: >>http://www.shorewall.net/IPSEC.htm) where rejected by patch-o-matic-ng >>from 2004/09/21. How are they applied? >> >> > >Patch-O-matic and how to use it are off-topic for this list but I >suspect that your kernel is too old to work with the IPSEC-Netfilter >patches. > >- -Tom >- -- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.4 (GNU/Linux) >Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > >iD8DBQFBXJZTO/MAbZfjDLIRAqjIAJsHryUMLJlVD03bONcbxnZKvvNpCACeIqQC >qzxrTS53BVN63DQFWgqpmQY>=CYAp >-----END PGP SIGNATURE----- >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >Oops, sorry, I used the kernel sources of 2.6.8 from Debian with Debian patches. They have been the latest in the last few days. Or did you mean that only the latest vanilla kernel works? Kay
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kay Obermueller wrote:> Tom Eastep wrote:>> > Oops, sorry, I used the kernel sources of 2.6.8 from Debian with Debian > patches. They have been the latest in the last few days. Or did you mean > that only the latest vanilla kernel works?Again, this is off-topic for this list but I have been reading on the Netfilter list that some folks are having problems with P-O-M and the Vanilla 2.6.8. - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBXWTMO/MAbZfjDLIRAj10AJ9g8tjiBaYZ+ztEFylPCtKPS9/jEgCgjnk8 f6pE3C7zIDEpm5tx/3Yjujo=EnpE -----END PGP SIGNATURE-----
Tom Eastep wrote:>-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Kay Obermueller wrote: > > >>Tom Eastep wrote: >> >> > > > >>Oops, sorry, I used the kernel sources of 2.6.8 from Debian with Debian >>patches. They have been the latest in the last few days. Or did you mean >>that only the latest vanilla kernel works? >> >> > > >Again, this is off-topic for this list but I have been reading on the >Netfilter list that some folks are having problems with P-O-M and the >Vanilla 2.6.8. > >- -Tom >- -- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.6 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > >iD8DBQFBXWTMO/MAbZfjDLIRAj10AJ9g8tjiBaYZ+ztEFylPCtKPS9/jEgCgjnk8 >f6pE3C7zIDEpm5tx/3Yjujo>=EnpE >-----END PGP SIGNATURE----- >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >Thank you for answering. Ok, the netfilter list, there are the patch-o-matics :) Kay
Possibly Parallel Threads
- Letter instead of A4 with driver installed via Samba's Point'n'Print
- solved: Re: Letter instead of A4 with driver installed via Samba's Point'n'Print
- Samba cannot find group in ADS
- Re: IPsec problems with tunneled networks
- Re: IPsec problems with tunneled networks