Sorry for two threads in one night. On upgrading my firewall to shorewall-perl-4.0 for the first time, I noticed traffic to my IPSec link being dropped after shorewall was reloaded. I installed shorewall-shell-4.0, and switched only the SHOREWALL_COMPILER line to shell, and low and behold the exact same configs now worked. My setup is virtually identical to that listed as "IPSec Gateway on the Firewall System" at http://shorewall.net/IPSEC-2.6.html (which is linked as the documentation for 4.0). My tunnels were the same, as was the zones file (ipv4 type for net and vpn), and my hosts file defined ipsec as an option. Upon noticing that perl failed while shell worked, I took an iptables-save of both and compared. The single difference was that when compiled with perl, the rules for the vpn zone contained "--pol none" whereas shell generated "--pol ipsec" with the same config. I changed away from the suggested configuration, and declared the zone type as "ipsec" rather than "ipv4", while removing the "ipsec" option from the hosts file. Low and behold, now the perl compiler used "--pol ipsec" and my vpn connection worked instantly. I don''t see anything immediately obvious in the release notes that would explain this, so as far as I can tell this either means that there is a bug in the perl compiler, or the IPSec documentation on the website needs to be updated for version 4.0. - Matt ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Cyber Dog wrote:> > I changed away from the suggested configuration, and declared the zone > type as "ipsec" rather than "ipv4", while removing the "ipsec" option > from the hosts file. Low and behold, now the perl compiler used > "--pol ipsec" and my vpn connection worked instantly.Please see if the attached patch corrects the problem. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
On 7/22/07, Tom Eastep <teastep@shorewall.net> wrote:> Cyber Dog wrote: > > > > I changed away from the suggested configuration, and declared the zone > > type as "ipsec" rather than "ipv4", while removing the "ipsec" option > > from the hosts file. Low and behold, now the perl compiler used > > "--pol ipsec" and my vpn connection worked instantly. > > Please see if the attached patch corrects the problem.Yes indeed, that seems to do the trick. Thanks> > Thanks, > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/