Shorewall users - Sep 2007 - Shorewall + IPSec: help debugging why gw1<->gw2 SA works, but loc<->gw2 traffic doesn't trigger SA

Dear list,

I''m running Shorewall on a dedicated Fedora 7 box.  Shorewall is
working
well as an office DSL router (dynamic IP) with loc and dmz zones.  I am now
trying to configure IPSec to connect a VPS, "casp", with a static IP
to both
the firewall and to the loc network behind it.  The host to host SA works
fine.  However, pings from "loc" to "casp" can be seen
coming in the loc
zone''s interface (tcpdump), but from there seem to just disappear:  no
log
messages about the packets being rejected, and no attempt to negotiate the
SA.  I''m not an expert on Shorewall or IPSec, and am not sure where to
look
for the problem.  Below is my setup, with IP addresses disguised to protect
the innocent.

Thanks in advance for any help!  Pointers on debugging interfaces besides
tcpdump, the Shorewall logs and setkey are highly appreciated.

/etc/shorewall/hosts:
> #ZONE HOST(S)                                 OPTIONS
> casp  ppp0:1.2.3.4                    ipsec
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

/etc/shorewall/interfaces:
> #ZONE INTERFACE       BROADCAST       OPTIONS
> net     ppp0            detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
> loc     eth0            detect          tcpflags,nosmurfs,dhcp
> dmz     eth1            detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/masq:
> #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK
> ppp0                          eth0    # local
> ppp0                          eth1    # dmz
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy:
> #SOURCE               DEST            POLICY          LOG
LIMIT:BURST
> #                                             LEVEL
> # VPN: FW + loc to casp
> #
> loc           casp            ACCEPT          info
> casp          loc             ACCEPT          info
> $FW           casp            ACCEPT          info
> casp          $FW             ACCEPT          info
> #
> # Policies for traffic originating from the local LAN (loc)
> #
> loc           net             ACCEPT
> loc           dmz             ACCEPT
> loc           $FW             REJECT          info
> loc           all             REJECT          info
/etc/shorewall/hosts:
> #ZONE HOST(S)                                 OPTIONS
> casp  ppp0:1.2.3.4                    ipsec
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

/etc/shorewall/interfaces:
> #ZONE INTERFACE       BROADCAST       OPTIONS
> net     ppp0            detect
tcpflags,dhcp,routefilter,nosmurfs,logmartians
> loc     eth0            detect          tcpflags,nosmurfs,dhcp
> dmz     eth1            detect
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/masq:
> #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S)
IPSEC   MARK
> ppp0                          eth0    # local
> ppp0                          eth1    # dmz
> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

/etc/shorewall/policy:
> #SOURCE               DEST            POLICY          LOG
LIMIT:BURST
> #                                             LEVEL
> # VPN: FW + loc to casp
> #
> loc           casp            ACCEPT          info
> casp          loc             ACCEPT          info
> $FW           casp            ACCEPT          info
> casp          $FW             ACCEPT          info
> #
> # Policies for traffic originating from the local LAN (loc)
> #
> loc           net             ACCEPT
> loc           dmz             ACCEPT
> loc           $FW             REJECT          info
> loc           all             REJECT          info
> #
> # Policies for traffic originating from the firewall ($FW)
> #
> $FW           net             ACCEPT
> $FW           dmz             REJECT          info
> $FW           loc             REJECT          info
> $FW           all             REJECT          info
> #
> # Policies for traffic originating from the De-Militarized Zone (dmz)
> #
> dmz           net             ACCEPT          info
> dmz           $FW             REJECT          info
> dmz           loc             REJECT          info
> dmz           all             REJECT          info
> #
> # Policies for traffic originating from the Internet zone (net)
> #
> net           dmz             DROP            info
> net           $FW             DROP            info
> net           loc             DROP            info
> net           all             DROP            info
>
> # THE FOLLOWING POLICY MUST BE LAST
> all           all             REJECT          info
>
> #LAST LINE -- DO NOT REMOVE

/etc/shorewall/rules:
> #ACTION       SOURCE          DEST                    PROTO   DEST
SOURCE          ORIGINAL        RATE    USER/   MARK
> #                                                     PORT
PORT(S)         DEST            LIMIT   GROUP
> #SECTION ESTABLISHED
> #SECTION RELATED
> SECTION NEW
>
> #
> #     Accept ipsec to/from the firewall
> #
> ACCEPT        $FW             any                     50
> ACCEPT        any             $FW                     50
> ACCEPT        $FW             any                     udp     500
> ACCEPT        any             $FW                     udp     500
> #
> #     Forward specific connections from the firewall to local machines
> #
> DNAT  net             loc:192.168.3.14        tcp     25
> DNAT  net             loc:192.168.3.15        udp     4569
> #
> #     Accept DNS connections from the firewall to the Internet
> #
> DNS/ACCEPT    $FW             net
> DNS/ACCEPT    $FW             loc
> DNS/ACCEPT    $FW             casp
> #
> #
> #     Accept SSH connections from the local network to the firewall and
DMZ
> #
> SSH/ACCEPT      loc             $FW
> SSH/ACCEPT      loc             dmz
> SSH/ACCEPT    net             $FW
> SSH/ACCEPT    $FW             casp
> SSH/ACCEPT    $FW             loc
> #
> #     DMZ DNS access to the Internet
> #
> DNS/ACCEPT    dmz             net
>
> # Reject Ping from the "bad" net zone.
>
> Ping/REJECT     net             $FW
> #
> #       Make ping work bi-directionally between the dmz, net, Firewall and
local zone
> #       (assumes that the loc-> net policy is ACCEPT).
> #
> Ping/ACCEPT     loc             $FW
> Ping/ACCEPT     dmz             $FW
> Ping/ACCEPT     loc             dmz
> Ping/ACCEPT     dmz             loc
> Ping/ACCEPT     dmz             net
> Ping/ACCEPT   loc             casp
> Ping/ACCEPT   casp            loc
>
> ACCEPT                $FW             net             icmp
> ACCEPT                $FW             loc             icmp
> ACCEPT                $FW             dmz             icmp
> ACCEPT                $FW             casp            icmp
>
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/tunnels:
> #TYPE                 ZONE    GATEWAY         GATEWAY
> #                                             ZONE
> ipsec                 net     1.2.3.4 casp
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/zones:
> #ZONE TYPE            OPTIONS         IN                      OUT
> #                                     OPTIONS                 OPTIONS
> casp  ipsec
> fw    firewall
> net   ipv4
> loc   ipv4
> dmz   ipv4
> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

/etc/racoon/racoon.conf (dynamically generated):

path certificate "/etc/racoon/certs";
>
> listen
> {
>     isakmp 5.6.7.8;
> }
>
> remote 1.2.3.4
> {
>     exchange_mode main;
>     certificate_type x509 "sandy.pem" "sandy_key.pem";
>     verify_cert on;
>     my_identifier asn1dn ;
>     peers_identifier asn1dn ;
>     verify_identifier on ;
>     lifetime time 24 hour ;
>     proposal {
>         encryption_algorithm blowfish;
>         hash_algorithm sha1;
>         authentication_method rsasig ;
>         dh_group 2 ;
>     }
> }
>
> sainfo address 192.168.3.0/24 any address 1.2.3.4/32 any
> {
>     pfs_group 2;
>     lifetime time 12 hour ;
>     encryption_algorithm blowfish ;
>     authentication_algorithm hmac_sha1, hmac_md5 ;
>     compression_algorithm deflate ;
> }
>
> sainfo address 5.6.7.8/32 any address 1.2.3.4/32 any
> {
>     pfs_group 2;
>     lifetime time 12 hour ;
>     encryption_algorithm blowfish ;
>     authentication_algorithm hmac_sha1, hmac_md5 ;
>     compression_algorithm deflate ;
> }

/etc/racoon/setkey.conf (dynamically generated):
> flush;
> spdflush;
> spdadd 5.6.7.8/32 1.2.3.4/32 any -P out  ipsec esp/tunnel/5.6.7.8-
1.2.3.4/require;
> spdadd 1.2.3.4/32 5.6.7.8/32 any -P in   ipsec esp/tunnel/1.2.3.4-
5.6.7.8/require;
> spdadd 1.2.3.4/32 192.168.3.0/24 any -P out  ipsec esp/tunnel/1.2.3.4-
5.6.7.8/require;
> spdadd 192.168.3.0/24 1.2.3.4/32 any -P in   ipsec esp/tunnel/5.6.7.8-
1.2.3.4/require;


Output of setkey commands:
> # setkey -D
> 5.6.7.8 1.2.3.4
>       esp mode=tunnel spi=44968740(0x02ae2b24) reqid=0(0x00000000)
>       E: blowfish-cbc  bbe97c73 9f8e2a29 d707c1b5 385b91a2
>       A: hmac-sha1  370d0ac2 c507d432 1a5b48b5 ceb7d2d9 c42a7718
>       seq=0x00000000 replay=4 flags=0x00000000 state=mature
>       created: Sep  3 17:12:02 2007   current: Sep  3 19:31:38 2007
>       diff: 8376(s)   hard: 43200(s)  soft: 34560(s)
>       last: Sep  3 17:12:02 2007      hard: 0(s)      soft: 0(s)
>       current: 2096(bytes)    hard: 0(bytes)  soft: 0(bytes)
>       allocated: 17   hard: 0 soft: 0
>       sadb_seq=1 pid=4820 refcnt=0
> 1.2.3.4 5.6.7.8
>       esp mode=tunnel spi=116316636(0x06eed9dc) reqid=0(0x00000000)
>       E: blowfish-cbc  4a0d645b bd27c956 8ff054fd f530c6ff
>       A: hmac-sha1  4e188a7e e5a78e6b 4330bf40 63d26fad 67127967
>       seq=0x00000000 replay=4 flags=0x00000000 state=mature
>       created: Sep  3 17:12:02 2007   current: Sep  3 19:31:38 2007
>       diff: 8376(s)   hard: 43200(s)  soft: 34560(s)
>       last: Sep  3 17:12:03 2007      hard: 0(s)      soft: 0(s)
>       current: 1244(bytes)    hard: 0(bytes)  soft: 0(bytes)
>       allocated: 15   hard: 0 soft: 0
>       sadb_seq=0 pid=4820 refcnt=0
>
> # setkey -DP
> 192.168.3.0/24[any] 1.2.3.4[any] any
>       in prio def ipsec
>       esp/tunnel/5.6.7.8-1.2.3.4/require
>       created: Sep  3 17:11:49 2007  lastused:
>       lifetime: 0(s) validtime: 0(s)
>       spid=2184 seq=1 pid=4821
>       refcnt=1
> 1.2.3.4[any] 5.6.7.8[any] any
>       in prio def ipsec
>       esp/tunnel/1.2.3.4-5.6.7.8/require
>       created: Sep  3 17:11:49 2007  lastused: Sep  3 17:55:24 2007
>       lifetime: 0(s) validtime: 0(s)
>       spid=2160 seq=2 pid=4821
>       refcnt=1
> 1.2.3.4[any] 192.168.3.0/24[any] any
>       out prio def ipsec
>       esp/tunnel/1.2.3.4-5.6.7.8/require
>       created: Sep  3 17:11:49 2007  lastused:
>       lifetime: 0(s) validtime: 0(s)
>       spid=2177 seq=3 pid=4821
>       refcnt=1
> 5.6.7.8[any] 1.2.3.4[any] any
>       out prio def ipsec
>       esp/tunnel/5.6.7.8-1.2.3.4/require
>       created: Sep  3 17:11:49 2007  lastused: Sep  3 17:55:24 2007
>       lifetime: 0(s) validtime: 0(s)
>       spid=2153 seq=4 pid=4821
>       refcnt=1
> 192.168.3.0/24[any] 1.2.3.4[any] any
>       fwd prio def ipsec
>       esp/tunnel/5.6.7.8-1.2.3.4/require
>       created: Sep  3 17:11:49 2007  lastused: Sep  3 19:31:56 2007
>       lifetime: 0(s) validtime: 0(s)
>       spid=2194 seq=5 pid=4821
>       refcnt=2
> 1.2.3.4[any] 5.6.7.8[any] any
>       fwd prio def ipsec
>       esp/tunnel/1.2.3.4-5.6.7.8/require
>       created: Sep  3 17:11:49 2007  lastused:
>       lifetime: 0(s) validtime: 0(s)
>       spid=2170 seq=6 pid=4821
>       refcnt=1
> (per-socket policy)
>       in none
>       created: Sep  3 17:11:50 2007  lastused: Sep  3 17:12:02 2007
>       lifetime: 0(s) validtime: 0(s)
>       spid=2203 seq=7 pid=4821
>       refcnt=1
> (per-socket policy)
>       out none
>       created: Sep  3 17:11:50 2007  lastused: Sep  3 17:12:02 2007
>       lifetime: 0(s) validtime: 0(s)
>       spid=2212 seq=0 pid=4821
>       refcnt=1

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/

John

Did you  find the source of your problem?
I have the same problem :(

John


John Morris wrote:
> Dear list,
>
> I''m running Shorewall on a dedicated Fedora 7 box.  Shorewall is 
> working well as an office DSL router (dynamic IP) with loc and dmz 
> zones.  I am now trying to configure IPSec to connect a VPS,
"casp",
> with a static IP to both the firewall and to the loc network behind 
> it.  The host to host SA works fine.  However, pings from "loc"
to
> "casp" can be seen coming in the loc zone''s interface
(tcpdump), but
> from there seem to just disappear:  no log messages about the packets 
> being rejected, and no attempt to negotiate the SA.  I''m not an
expert
> on Shorewall or IPSec, and am not sure where to look for the problem.  
> Below is my setup, with IP addresses disguised to protect the innocent.
>
> Thanks in advance for any help!  Pointers on debugging interfaces 
> besides tcpdump, the Shorewall logs and setkey are highly appreciated.
>
> /etc/shorewall/hosts:
>
>> #ZONE HOST(S)                                 OPTIONS
>> casp  ppp0:*MailScanner warning: numerical links are often 
> malicious:* 1.2.3.4 <http://1.2.3.4>                    ipsec
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
>
> /etc/shorewall/interfaces:
>
>> #ZONE INTERFACE       BROADCAST       OPTIONS
>> net     ppp0            detect          
> tcpflags,dhcp,routefilter,nosmurfs,logmartians
>> loc     eth0            detect          tcpflags,nosmurfs,dhcp
>> dmz     eth1            detect
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> /etc/shorewall/masq:
>
>> #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S) 
> IPSEC   MARK
>> ppp0                          eth0    # local
>> ppp0                          eth1    # dmz
>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
> /etc/shorewall/policy:
>
>> #SOURCE               DEST            POLICY          LOG             
> LIMIT:BURST
>> #                                             LEVEL
>> # VPN: FW + loc to casp
>> #
>> loc           casp            ACCEPT          info
>> casp          loc             ACCEPT          info
>> $FW           casp            ACCEPT          info
>> casp          $FW             ACCEPT          info
>> #
>> # Policies for traffic originating from the local LAN (loc)
>> #
>> loc           net             ACCEPT
>> loc           dmz             ACCEPT
>> loc           $FW             REJECT          info
>> loc           all             REJECT          info
> /etc/shorewall/hosts:
>
>> #ZONE HOST(S)                                 OPTIONS
>> casp  ppp0:*MailScanner warning: numerical links are often 
> malicious:* 1.2.3.4 <http://1.2.3.4>                    ipsec
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
>
>
> /etc/shorewall/interfaces:
>
>> #ZONE INTERFACE       BROADCAST       OPTIONS
>> net     ppp0            detect          
> tcpflags,dhcp,routefilter,nosmurfs,logmartians
>> loc     eth0            detect          tcpflags,nosmurfs,dhcp
>> dmz     eth1            detect
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> /etc/shorewall/masq:
>
>> #INTERFACE            SOURCE          ADDRESS         PROTO   PORT(S) 
> IPSEC   MARK
>> ppp0                          eth0    # local
>> ppp0                          eth1    # dmz
>> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
>
>
> /etc/shorewall/policy:
>
>> #SOURCE               DEST            POLICY          LOG             
> LIMIT:BURST
>> #                                             LEVEL
>> # VPN: FW + loc to casp
>> #
>> loc           casp            ACCEPT          info
>> casp          loc             ACCEPT          info
>> $FW           casp            ACCEPT          info
>> casp          $FW             ACCEPT          info
>> #
>> # Policies for traffic originating from the local LAN (loc)
>> #
>> loc           net             ACCEPT
>> loc           dmz             ACCEPT
>> loc           $FW             REJECT          info
>> loc           all             REJECT          info
>> #
>> # Policies for traffic originating from the firewall ($FW)
>> #
>> $FW           net             ACCEPT
>> $FW           dmz             REJECT          info
>> $FW           loc             REJECT          info
>> $FW           all             REJECT          info
>> #
>> # Policies for traffic originating from the De-Militarized Zone (dmz)
>> #
>> dmz           net             ACCEPT          info
>> dmz           $FW             REJECT          info
>> dmz           loc             REJECT          info
>> dmz           all             REJECT          info
>> #
>> # Policies for traffic originating from the Internet zone (net)
>> #
>> net           dmz             DROP            info
>> net           $FW             DROP            info
>> net           loc             DROP            info
>> net           all             DROP            info
>>
>> # THE FOLLOWING POLICY MUST BE LAST
>> all           all             REJECT          info
>>
>> #LAST LINE -- DO NOT REMOVE
>
>
> /etc/shorewall/rules:
>
>> #ACTION       SOURCE          DEST                    PROTO   DEST    
> SOURCE          ORIGINAL        RATE    USER/   MARK
>> #                                                     PORT    
> PORT(S)         DEST            LIMIT   GROUP
>> #SECTION ESTABLISHED
>> #SECTION RELATED
>> SECTION NEW
>>
>> #
>> #     Accept ipsec to/from the firewall
>> #
>> ACCEPT        $FW             any                     50
>> ACCEPT        any             $FW                     50
>> ACCEPT        $FW             any                     udp     500
>> ACCEPT        any             $FW                     udp     500
>> #
>> #     Forward specific connections from the firewall to local machines
>> #
>> DNAT  net             loc:*MailScanner warning: numerical links are 
> often malicious:* 192.168.3.14 <http://192.168.3.14>        tcp    
25
>> DNAT  net             loc:*MailScanner warning: numerical links are 
> often malicious:* 192.168.3.15 <http://192.168.3.15>        udp    
4569
>> #
>> #     Accept DNS connections from the firewall to the Internet
>> #
>> DNS/ACCEPT    $FW             net
>> DNS/ACCEPT    $FW             loc
>> DNS/ACCEPT    $FW             casp
>> #
>> #
>> #     Accept SSH connections from the local network to the firewall 
> and DMZ
>> #
>> SSH/ACCEPT      loc             $FW
>> SSH/ACCEPT      loc             dmz
>> SSH/ACCEPT    net             $FW
>> SSH/ACCEPT    $FW             casp
>> SSH/ACCEPT    $FW             loc
>> #
>> #     DMZ DNS access to the Internet
>> #
>> DNS/ACCEPT    dmz             net
>>
>> # Reject Ping from the "bad" net zone.
>>
>> Ping/REJECT     net             $FW
>> #
>> #       Make ping work bi-directionally between the dmz, net, 
> Firewall and local zone
>> #       (assumes that the loc-> net policy is ACCEPT).
>> #
>> Ping/ACCEPT     loc             $FW
>> Ping/ACCEPT     dmz             $FW
>> Ping/ACCEPT     loc             dmz
>> Ping/ACCEPT     dmz             loc
>> Ping/ACCEPT     dmz             net
>> Ping/ACCEPT   loc             casp
>> Ping/ACCEPT   casp            loc
>>
>> ACCEPT                $FW             net             icmp
>> ACCEPT                $FW             loc             icmp
>> ACCEPT                $FW             dmz             icmp
>> ACCEPT                $FW             casp            icmp
>>
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> /etc/shorewall/tunnels:
>
>> #TYPE                 ZONE    GATEWAY         GATEWAY
>> #                                             ZONE
>> ipsec                 net     *MailScanner warning: numerical links 
> are often malicious:* 1.2.3.4 <http://1.2.3.4> casp
>> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
>
> /etc/shorewall/zones:
>
>> #ZONE TYPE            OPTIONS         IN                      OUT
>> #                                     OPTIONS                 OPTIONS
>> casp  ipsec
>> fw    firewall
>> net   ipv4
>> loc   ipv4
>> dmz   ipv4
>> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
>
>
> /etc/racoon/racoon.conf (dynamically generated):
>
> path certificate "/etc/racoon/certs";
>>
>> listen
>> {
>>     isakmp *MailScanner warning: numerical links are often 
> malicious:* 5.6.7.8 <http://5.6.7.8>;
>> }
>>
>> remote *MailScanner warning: numerical links are often malicious:* 
> 1.2.3.4 <http://1.2.3.4>
>> {
>>     exchange_mode main;
>>     certificate_type x509 "sandy.pem"
"sandy_key.pem";
>>     verify_cert on;
>>     my_identifier asn1dn ;
>>     peers_identifier asn1dn ;
>>     verify_identifier on ;
>>     lifetime time 24 hour ;
>>     proposal {
>>         encryption_algorithm blowfish;
>>         hash_algorithm sha1;
>>         authentication_method rsasig ;
>>         dh_group 2 ;
>>     }
>> }
>>
>> sainfo address *MailScanner warning: numerical links are often 
> malicious:* 192.168.3.0/24 <http://192.168.3.0/24> any address 
> *MailScanner warning: numerical links are often malicious:* 1.2.3.4/32 
> <http://1.2.3.4/32> any
>> {
>>     pfs_group 2;
>>     lifetime time 12 hour ;
>>     encryption_algorithm blowfish ;
>>     authentication_algorithm hmac_sha1, hmac_md5 ;
>>     compression_algorithm deflate ;
>> }
>>
>> sainfo address *MailScanner warning: numerical links are often 
> malicious:* 5.6.7.8/32 <http://5.6.7.8/32> any address *MailScanner 
> warning: numerical links are often malicious:* 1.2.3.4/32 
> <http://1.2.3.4/32> any
>> {
>>     pfs_group 2;
>>     lifetime time 12 hour ;
>>     encryption_algorithm blowfish ;
>>     authentication_algorithm hmac_sha1, hmac_md5 ;
>>     compression_algorithm deflate ;
>> }
>
>
> /etc/racoon/setkey.conf (dynamically generated):
>
>> flush;
>> spdflush;
>> spdadd *MailScanner warning: numerical links are often malicious:* 
> 5.6.7.8/32 <http://5.6.7.8/32> *MailScanner warning: numerical links 
> are often malicious:* 1.2.3.4/32 <http://1.2.3.4/32> any -P out 
ipsec
> esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are often 
> malicious:* 1.2.3.4/require <http://1.2.3.4/require>;
>> spdadd *MailScanner warning: numerical links are often malicious:* 
> 1.2.3.4/32 <http://1.2.3.4/32> *MailScanner warning: numerical links 
> are often malicious:* 5.6.7.8/32 <http://5.6.7.8/32> any -P in  
ipsec
> esp/tunnel/1.2.3.4- *MailScanner warning: numerical links are often 
> malicious:* 5.6.7.8/require <http://5.6.7.8/require>;
>> spdadd *MailScanner warning: numerical links are often malicious:* 
> 1.2.3.4/32 <http://1.2.3.4/32> *MailScanner warning: numerical links 
> are often malicious:* 192.168.3.0/24 <http://192.168.3.0/24> any -P 
> out  ipsec esp/tunnel/1.2.3.4-*MailScanner warning: numerical links 
> are often malicious:* 5.6.7.8/require <http://5.6.7.8/require>;
>> spdadd *MailScanner warning: numerical links are often malicious:* 
> 192.168.3.0/24 <http://192.168.3.0/24> *MailScanner warning:
numerical
> links are often malicious:* 1.2.3.4/32 <http://1.2.3.4/32> any -P in
> ipsec esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are 
> often malicious:* 1.2.3.4/require <http://1.2.3.4/require>;
>
>
> Output of setkey commands:
>
>> # setkey -D
>> *MailScanner warning: numerical links are often malicious:* 5.6.7.8 
> <http://5.6.7.8> *MailScanner warning: numerical links are often 
> malicious:* 1.2.3.4 <http://1.2.3.4>
>>       esp mode=tunnel spi=44968740(0x02ae2b24) reqid=0(0x00000000)
>>       E: blowfish-cbc  bbe97c73 9f8e2a29 d707c1b5 385b91a2
>>       A: hmac-sha1  370d0ac2 c507d432 1a5b48b5 ceb7d2d9 c42a7718
>>       seq=0x00000000 replay=4 flags=0x00000000 state=mature
>>       created: Sep  3 17:12:02 2007   current: Sep  3 19:31:38 2007
>>       diff: 8376(s)   hard: 43200(s)  soft: 34560(s)
>>       last: Sep  3 17:12:02 2007      hard: 0(s)      soft: 0(s)
>>       current: 2096(bytes)    hard: 0(bytes)  soft: 0(bytes)
>>       allocated: 17   hard: 0 soft: 0
>>       sadb_seq=1 pid=4820 refcnt=0
>> *MailScanner warning: numerical links are often malicious:* 1.2.3.4 
> <http://1.2.3.4> *MailScanner warning: numerical links are often 
> malicious:* 5.6.7.8 <http://5.6.7.8>
>>       esp mode=tunnel spi=116316636(0x06eed9dc) reqid=0(0x00000000)
>>       E: blowfish-cbc  4a0d645b bd27c956 8ff054fd f530c6ff
>>       A: hmac-sha1  4e188a7e e5a78e6b 4330bf40 63d26fad 67127967
>>       seq=0x00000000 replay=4 flags=0x00000000 state=mature
>>       created: Sep  3 17:12:02 2007   current: Sep  3 19:31:38 2007
>>       diff: 8376(s)   hard: 43200(s)  soft: 34560(s)
>>       last: Sep  3 17:12:03 2007      hard: 0(s)      soft: 0(s)
>>       current: 1244(bytes)    hard: 0(bytes)  soft: 0(bytes)
>>       allocated: 15   hard: 0 soft: 0
>>       sadb_seq=0 pid=4820 refcnt=0
>>
>> # setkey -DP
>> *MailScanner warning: numerical links are often malicious:* 
> 192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> 1.2.3.4[any] any
>>       in prio def ipsec
>>       esp/tunnel/5.6.7.8- *MailScanner warning: numerical links are 
> often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
>>       created: Sep  3 17:11:49 2007  lastused:
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2184 seq=1 pid=4821
>>       refcnt=1
>> 1.2.3.4[any] 5.6.7.8[any] any
>>       in prio def ipsec
>>       esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are 
> often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
>>       created: Sep  3 17:11:49 2007  lastused: Sep  3 17:55:24 2007
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2160 seq=2 pid=4821
>>       refcnt=1
>> 1.2.3.4[any] *MailScanner warning: numerical links are often 
> malicious:* 192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> any
>>       out prio def ipsec
>>       esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are 
> often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
>>       created: Sep  3 17:11:49 2007  lastused:
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2177 seq=3 pid=4821
>>       refcnt=1
>> 5.6.7.8[any] 1.2.3.4[any] any
>>       out prio def ipsec
>>       esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are 
> often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
>>       created: Sep  3 17:11:49 2007  lastused: Sep  3 17:55:24 2007
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2153 seq=4 pid=4821
>>       refcnt=1
>> *MailScanner warning: numerical links are often malicious:* 
> 192.168.3.0/24[any] <http://192.168.3.0/24%5Bany%5D> 1.2.3.4[any] any
>>       fwd prio def ipsec
>>       esp/tunnel/5.6.7.8-*MailScanner warning: numerical links are 
> often malicious:* 1.2.3.4/require <http://1.2.3.4/require>
>>       created: Sep  3 17:11:49 2007  lastused: Sep  3 19:31:56 2007
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2194 seq=5 pid=4821
>>       refcnt=2
>> 1.2.3.4[any] 5.6.7.8[any] any
>>       fwd prio def ipsec
>>       esp/tunnel/1.2.3.4-*MailScanner warning: numerical links are 
> often malicious:* 5.6.7.8/require <http://5.6.7.8/require>
>>       created: Sep  3 17:11:49 2007  lastused:
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2170 seq=6 pid=4821
>>       refcnt=1
>> (per-socket policy)
>>       in none
>>       created: Sep  3 17:11:50 2007  lastused: Sep  3 17:12:02 2007
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2203 seq=7 pid=4821
>>       refcnt=1
>> (per-socket policy)
>>       out none
>>       created: Sep  3 17:11:50 2007  lastused: Sep  3 17:12:02 2007
>>       lifetime: 0(s) validtime: 0(s)
>>       spid=2212 seq=0 pid=4821
>>       refcnt=1
>
>
>
>------------------------------------------------------------------------
>
>-------------------------------------------------------------------------
>This SF.net email is sponsored by: Splunk Inc.
>Still grepping through log files to find problems?  Stop.
>Now Search log events and configuration files using AJAX and a browser.
>Download your FREE copy of Splunk now >>  http://get.splunk.com/
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/shorewall-users
>  
>


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

John McMonagle wrote:
> John
> 
> Did you  find the source of your problem?
> I have the same problem :(
> 
We on the list are not going to be able to help either one of you unless we
get real information about your configurations. Please see
http://www.shorewall.net/support.htm#Guidelines

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

> John McMonagle wrote:
> > John
> > 
> > Did you  find the source of your problem?
> > I have the same problem :(
> > 
> 
> We on the list are not going to be able to help either one of you unless we
> get real information about your configurations. Please see
> http://www.shorewall.net/support.htm#Guidelines
I ended up taking Tom''s original suggestion and went with a sane vpn
solution, namely openvpn. I had originally tried openvpn, but had
performance issues that I misattributed to openvpn, in actuality it
was due to a misconfigured MTU on one of my nics. So I suggest trying
openvpn.

thanks Tom for the help and all you great work on shorewall.

-Jesse

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/