Shorewall users - May 2006 - Allow ESP Traffic

Hi shorewall users,

could you please help me with this fw message?

May 27 11:19:17 pfw Shorewall:net2all:DROP:IN=eth0 OUT=eth2
SRC=80.178.213.211 DST=81.200.153.71 LEN=152 TOS=0x00 PREC=0x00 TTL=54
ID=256 DF PROTO=ESP SPI=0xdb45daed

Where DST=81.200.153.71 is my VPN gateway and SRC=80.178.213.211 is my
mobile with public ppp ip. 

The VPN tunnel is established with udp 500 allowed but if I try ping or ssh
from my mobile to my VPN clients it´s blocked by the same shorewall which
allows udp 500 traffic (it´s in front of the DST=81.200.153.71 firewall and
is proxyarp between both firewall and firewall/vpn gateway)

I would like to start working with rules, but I only know rules with udp or
tcp port.

How could I allow PROTO=ESP and should I name a port for that?

Is there anything written down on shorewall.net where others could share
their experiences with me? 

Thanks for your great help!

Cheers
Mike






-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642

info@kws-netzwerke.de wrote:
> 
> How could I allow PROTO=ESP and should I name a port for that?
> 
> Is there anything written down on shorewall.net where others could share
> their experiences with me? 
http://www.shorewall.net/VPNBasics.html
http://www.shorewall.net/IPSEC.html
http://www.shorewall.net/IPSEC-2.6.html

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key