Shorewall users - Jul 2006 - GRE over IPSec Tunnels to a Cisco using Openswan

Hi All:

Ok, here is my network:

192.168.1.0/28 is the network behind the Cisco, the
Gig0/1 interface is 192.168.1.1.

Linux box is 192.168.1.96/28 behind with 192.168.1.97
the Eth1 interface.

I have the Ipsec tunnel up and working between them
using preshared keys. So that works.

Here is the Cisco tunnel setup:
interface Tunnel6
 ip address 192.168.2.110 255.255.255.240
 tunnel source 192.168.1.1
 tunnel destination 192.168.1.97


Here is the Linux Tunnel setup:
modprobe ip_gre
ip tunnel add GDC1 mode gre remote 192.168.1.1 local
192.168.1.97 ttl 255
ip link set GDC1 up
ip addr add 192.168.2.97 dev GDC1
ip route add 192.168.1.0\28 dev GDC1


Now, using tcpdump, when shorewall is on I get this
when trying to ping from the cisco to 192.168.2.97:
1:05:48.995325 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:50.989891 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:52.992563 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:54.990278 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable
01:05:56.992229 IP 192.168.2.97 > 192.168.2.110: icmp
108: host 192.168.2.97 unreachable

This tells me that the ping is getting through the
tunnel to the Linux box but can''t get back. If I
shutdwon shoreall, I get nothing on the tcpdump when I
ping from the Cisco.

I have my shorewall setup using the instructions on
the site for V2.x and Ipsec using Linux 2.6 and as I
say, that is working. The only thing I have added is a
change to my masq file:
#INTERFACE              SUBNET          ADDRESS       
 PROTO   PORT(S) IPSEC
ppp1:!192.168.1.0/28    192.168.1.96/28
ppp1:!192.168.2.96/28   192.168.2.110/28

WHere I added the bottom entry.

Question:
Are there other config files in shorewall I will need
to change?

Cheers,
John

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

On Sat, 2006-07-15 at 10:23 -0700, John Serink wrote:
> Question:
> Are there other config files in shorewall I will need
> to change?
Looking at your log with the aid of FAQ 17 will probably give you some
clues -- so will http://www.shorewall.net/IPIP.htm

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642