Hi guys, I''m trying to setup an IPIP tunnel between a Cisco router and a firewall running Debian GNU/Linux Sarge with Shorewall 2.0.13. I''ve read and implemented the http://shorewall.net/IPIP.htm document, but I don''t understand why there should be at the same time a "tunnel" and a "tunnels" script. Shorewall still refuses to let the "PROTOCOL=4" packets to go through even if I create both. I also read http://shorewall.net/GenericTunnels.html and tried the part to allow "PROTOCOL=4", but it doesn''t work either. What am I missing? Thanks
Le jeudi 30 décembre 2004 à 12:11 +0100, Jérôme Warnier a écrit :> Hi guys, > > I''m trying to setup an IPIP tunnel between a Cisco router and a firewall > running Debian GNU/Linux Sarge with Shorewall 2.0.13. > I''ve read and implemented the http://shorewall.net/IPIP.htm document, > but I don''t understand why there should be at the same time a "tunnel" > and a "tunnels" script. > Shorewall still refuses to let the "PROTOCOL=4" packets to go through > even if I create both. > > I also read http://shorewall.net/GenericTunnels.html and tried the part > to allow "PROTOCOL=4", but it doesn''t work either. > > What am I missing?Well, I found the last problem I had, due to a wrong documentation in the file "tunnels": # The columns are: # # TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip" # "gre", "6to4", "pptpclient", "pptpserver", "openvpn" or # "generic" The "ip" there on the same line as "TYPE" should read "ipip", not "ip".> Thanks
On Thu, 2004-12-30 at 12:11 +0100, Jérôme Warnier wrote:> Hi guys, > > I''m trying to setup an IPIP tunnel between a Cisco router and a firewall > running Debian GNU/Linux Sarge with Shorewall 2.0.13. > I''ve read and implemented the http://shorewall.net/IPIP.htm document, > but I don''t understand why there should be at the same time a "tunnel" > and a "tunnels" script.The ''tunnel'' script creates the tunnel itself. The ''tunnels'' file entry allows tunnel traffic through the firewall.> Shorewall still refuses to let the "PROTOCOL=4" packets to go through > even if I create both.Then your entry in /etc/shorewall/tunnels is wrong.> > I also read http://shorewall.net/GenericTunnels.html and tried the part > to allow "PROTOCOL=4", but it doesn''t work either. > > What am I missing?We can''t tell without a proper problem report (output of "shorewall status" that shows the rejected PROTO=4 packets would be appropriate). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Thu, 2004-12-30 at 16:44 +0100, Jérôme Warnier wrote:> > Well, I found the last problem I had, due to a wrong documentation in > the file "tunnels": > > # The columns are: > # > # TYPE -- must start in column 1 and be "ipsec", > "ipsecnat","ip" > # "gre", "6to4", "pptpclient", "pptpserver", > "openvpn" or > # "generic" > > The "ip" there on the same line as "TYPE" should read "ipip", not "ip".Thanks for the report, Jérôme I''ve updated both the 2.0 and 2.2 CVS threads. I''m sorry to be the cause of the confusion. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key