We had a running ipsec shorewall system to all of our remote offices. We added a dmz to the firewall and implemented proxy arp for that dmz. We have checked everything two or three times and cannot figure out why the vpns will no longer come up. We are using shorewall version 2.2.3 from the debian stable sarge distribution. We noticed the errata that for 2.0.0 there was a problem with proxy arp & ipsec. Does that problem still exist for our version? Should we run the errata script or should we do something else to make proxy arp work with ipsec. We are also thinking about switching to open vpn. Would we run into a similar issue? Thanks in advance Terry Hobart P.S. We REALLY appreciate the fine product!
Hey Terry, we are using OpenVPN with patched gentoo kernel 2.6.12-r9 and shorewall 2.4.2 with policy match available. Our OpenVPN is configured through proxy arp on the primary firewall. It work´s very well. There won´t be similar issues with that if you set up well but I think it could be possible to erase the troubles with your platform. Which is it? Kernel Tools like kame, racoon and setkey, or else? Cheers Mike ________________________________________ Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Terry Hobart Gesendet: Montag, 6. Februar 2006 20:46 An: Shorewall user mail list Betreff: [Shorewall-users] (no subject) We had a running ipsec shorewall system to all of our remote offices. We added a dmz to the firewall and implemented proxy arp for that dmz. We have checked everything two or three times and cannot figure out why the vpns will no longer come up. We are using shorewall version 2.2.3 from the debian stable sarge distribution. We noticed the errata that for 2.0.0 there was a problem with proxy arp & ipsec. Does that problem still exist for our version? Should we run the errata script or should we do something else to make proxy arp work with ipsec. We are also thinking about switching to open vpn. Would we run into a similar issue? Thanks in advance Terry Hobart P.S. We REALLY appreciate the fine product! ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
I am not totally sure about your question but we are using freeswan. We can''t figure out why just changing the main ip and adding dmz with proxy arp should kill our working vpn. Terry -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of info@kws-netzwerke.de Sent: Monday, February 06, 2006 1:06 PM To: shorewall-users@lists.sourceforge.net Subject: AW: [Shorewall-users] (no subject) Hey Terry, we are using OpenVPN with patched gentoo kernel 2.6.12-r9 and shorewall 2.4.2 with policy match available. Our OpenVPN is configured through proxy arp on the primary firewall. It work´s very well. There won´t be similar issues with that if you set up well but I think it could be possible to erase the troubles with your platform. Which is it? Kernel Tools like kame, racoon and setkey, or else? Cheers Mike ________________________________________ Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Terry Hobart Gesendet: Montag, 6. Februar 2006 20:46 An: Shorewall user mail list Betreff: [Shorewall-users] (no subject) We had a running ipsec shorewall system to all of our remote offices. We added a dmz to the firewall and implemented proxy arp for that dmz. We have checked everything two or three times and cannot figure out why the vpns will no longer come up. We are using shorewall version 2.2.3 from the debian stable sarge distribution. We noticed the errata that for 2.0.0 there was a problem with proxy arp & ipsec. Does that problem still exist for our version? Should we run the errata script or should we do something else to make proxy arp work with ipsec. We are also thinking about switching to open vpn. Would we run into a similar issue? Thanks in advance Terry Hobart P.S. We REALLY appreciate the fine product! ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Monday 06 February 2006 13:23, Terry Hobart wrote:> I am not totally sure about your question but we are using freeswan. We > can''t figure out why just changing the main ip and adding dmz with proxy > arp should kill our working vpn.Terry -- if you can''t figure it out, with all of the evidence there in front of you, I really don''t know how you expect us to be able to be able to help when all we know is that "you changed and ip address and added a dmz and now it doesn''t work". Hint: See http://www.shorewall.net/2.0/support.htm for the information we need to be able to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
I''m sorry I should have been more specific. What I am asking is on version 2.2.3 should we be concerned with the 2.0.0 errata about proxy arp & ipsec. We are trying to determine if we should continue to look at our end or apply the errata fix first. We are just not sure if we are pounding our head against a wall we don''t need to. Sorry about the confusion Terry -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Monday, February 06, 2006 3:21 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPSEC and Proxy ARP (was ''no subject'') On Monday 06 February 2006 13:23, Terry Hobart wrote:> I am not totally sure about your question but we are using freeswan. We > can''t figure out why just changing the main ip and adding dmz with proxy > arp should kill our working vpn.Terry -- if you can''t figure it out, with all of the evidence there in front of you, I really don''t know how you expect us to be able to be able to help when all we know is that "you changed and ip address and added a dmz and now it doesn''t work". Hint: See http://www.shorewall.net/2.0/support.htm for the information we need to be able to help you. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
On Monday 06 February 2006 15:54, Terry Hobart wrote:> I''m sorry I should have been more specific. What I am asking is on version > 2.2.3 should we be concerned with the 2.0.0 errata about proxy arp & ipsec. > We are trying to determine if we should continue to look at our end or > apply the errata fix first. We are just not sure if we are pounding our > head against a wall we don''t need to.The errata fix from 2.0.0 has been in all subsequent releases including 2.2.3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Thanks so much for your help. We will continue to beat the problem from our end. Terry Hobart -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Monday, February 06, 2006 3:57 PM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPSEC and Proxy ARP (was ''no subject'') On Monday 06 February 2006 15:54, Terry Hobart wrote:> I''m sorry I should have been more specific. What I am asking is on version > 2.2.3 should we be concerned with the 2.0.0 errata about proxy arp &ipsec.> We are trying to determine if we should continue to look at our end or > apply the errata fix first. We are just not sure if we are pounding our > head against a wall we don''t need to.The errata fix from 2.0.0 has been in all subsequent releases including 2.2.3. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642