Hi All:
Ok, here is my network:
192.168.1.0/28 is the network behind the Cisco, the
Gig0/1 interface is 192.168.1.1.
Linux box is 192.168.1.96/28 behind with 192.168.1.97
the Eth1 interface.
I have the Ipsec tunnel up and working between them
using preshared keys. So that works.
Here is the Cisco tunnel setup:
interface Tunnel6
ip address 192.168.2.110 255.255.255.240
tunnel source 192.168.1.1
tunnel destination 192.168.1.97
Here is the Linux Tunnel setup:
modprobe ip_gre
ip tunnel add GDC1 mode gre remote 192.168.1.1 local
192.168.1.97 ttl 255
ip link set GDC1 up
ip addr add 192.168.2.97 dev GDC1
ip route add 192.168.1.0\28 dev GDC1
Now, using tcpdump, when shorewall is on I get this
when trying to ping from the cisco to 192.168.2.97:
1:05:48.995325 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:50.989891 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:52.992563 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:54.990278 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:56.992229 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
This tells me that the ping is getting through the
tunnel to the Linux box but can''t get back. If I
shutdwon shoreall, I get nothing on the tcpdump when I
ping from the Cisco.
I have my shorewall setup using the instructions on
the site for V2.x and Ipsec using Linux 2.6 and as I
say, that is working. The only thing I have added is a
change to my masq file:
#INTERFACE SUBNET ADDRESS
PROTO PORT(S) IPSEC
ppp1:!192.168.1.0/28 192.168.1.96/28
ppp1:!192.168.2.96/28 192.168.2.110/28
WHere I added the bottom entry.
Question:
Are there other config files in shorewall I will need
to change?
Cheers,
John
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642