I noticed the long standing Ipsec FSwan problem was fixed. But do you still have to make sure Ipec is not running when shorewall starts Reason I ask Is I could not get my Dmz working with Ipsec in the equation. Thanks Mike
On Thu, 2004-12-02 at 10:05 -0800, Mike Lander wrote:> I noticed the long standing Ipsec FSwan problem was fixed. > But do you still have to make sure Ipec is not running when shorewall starts > Reason I ask Is I could not get my Dmz working with Ipsec in the equation.What does ''arp -na'' show? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
----- Original Message ----- From: "Tom Eastep" <teastep@shorewall.net> To: "Shorewall Users" <shorewall-users@lists.shorewall.net> Sent: Thursday, December 02, 2004 10:31 AM Subject: Re: [Shorewall-users] Ipsec and Proxy arp> On Thu, 2004-12-02 at 10:05 -0800, Mike Lander wrote: >> I noticed the long standing Ipsec FSwan problem was fixed. >> But do you still have to make sure Ipec is not running when shorewall >> starts >> Reason I ask Is I could not get my Dmz working with Ipsec in the >> equation. > > What does ''arp -na'' show? > > -TomCant show you arp now I could not leave it running so I put the Dmz server back to a Dnat and assigned a Rfc 1818 address to the Dmz server . About 300 employees are using this shorewall box so I only had about an hour to get it working last night. Next time I try it will be late at night to keep things quiet. While I was trying to get it up I got so many calls about it being down (One call from New York) that I had to give up and put my Dmz server Back to Nat. While I had the Dmz server in a proxy arp, the dmz server could not reach the net. I could ping the Dmz from Shorewall box and I could ping Shorewall box from Dmz. I believed my problem to be Ipsec. Because I tested the same configuation on my network without a hitch (no ipsec on my network). To try to keep this short I am moving the Ipsec tunnel off of the shorewall box soon. So if Ipsec is the trouble it will be moved to another router soon and shorewall will just have a static route to Ipsec on a Snapgear router Then I hope the Dmz will work So my question was does shorewall (if have route = no in /etc/shorewall/proxyarp) Does it still have the route trouble you mention in your Documentation? (assinging routes to Ipsec instead) [root@ns1 root]# shorewall version 2.0.2c [root@ns1 root]# Fedora Core Thanks --Mike
On Thu, 2004-12-02 at 10:51 -0800, Mike Lander wrote:> So my question was does shorewall (if have route = no in > /etc/shorewall/proxyarp) > Does it still have the route trouble you mention in your Documentation? > (assinging routes to Ipsec instead)It is not a routing problem but an ARP problem (ARP entry is associated with the ipsec0 device rather than the external interface) and the problem IS FIXED. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Here is the boxes routes now Destination Gateway Genmask Flags Metric Ref Use Iface 10.201.144.200 10.19.227.193 255.255.255.255 UGH 0 0 0 eth1 64.42.53.200 0.0.0.0 255.255.255.248 U 0 0 0 eth0 64.42.53.200 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0 10.192.139.0 64.42.53.201 255.255.255.0 UG 0 0 0 ipsec0 10.19.227.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 172.30.0.0 64.42.53.201 255.255.0.0 UG 0 0 0 ipsec0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 64.42.53.201 0.0.0.0 UG 0 0 0 eth0 [root@ns1 root]#
> It is not a routing problem but an ARP problem (ARP entry is associated > with the ipsec0 device rather than the external interface) and the > problem IS FIXED. >Thanks Tom, Next time I try I will know I am not fighting that Mike
Btw,
I did a Tcpdump last night on eth2 Dmz interface and I could
see arp answers to requests from net interface and checked mac
address''s it
looked ok.
But I did not know if you had any suggestions on what to look for next
time I try it.
Thanks
Mike
I
> > What does ''arp -na'' show?Tom Are you wondering if this is arp cache trouble? Because of me moving this Dmz server. Mike
On Thu, 2004-12-02 at 11:38 -0800, Mike Lander wrote:> > > > What does ''arp -na'' show? > Tom > > Are you wondering if this is arp cache trouble? > Because of me moving this Dmz server.That''s always a possibility -- the Proxy ARP documentation shows how to check for that problem. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key