Shorewall users - Nov 2009 - tunnels problem

Hi All
    I have a shorewall configuration as shown in the attached status
file.

    OS: ubuntu 8.04
    Shorewall: 4.0.6
    opsnswan: 2.4.15

    I have three different internal subnets each of them in it''s own
zone.

    I have a problem with two ipsec tunnels,
    1- First one connecting through vpn2 zone to remote subnet
192.168.48.0/24, it connects to the loc53 zone on this firewall, the
tunnel comes up I can ping the remote 48 network from this firewall and
also the remote firewall itself.
    From the remote firewall I can ping this firewall but the local
system I get destination unreachable

    2- Second tunnel is on vpn4, the other side is a cisco pix501 this
tunnel doesn''t come up at all, and I see all2all FORWARD REJECT in the
logs

    Any help will be appreciated and any more information Im here to
provide it.

    Thanks

Ibrahim Hamouda
www.itcanint.net 




------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Ibrahim Hamouda wrote:
> Hi All
>     I have a shorewall configuration as shown in the attached status file.
> 
>     OS: ubuntu 8.04
>     Shorewall: 4.0.6
>     opsnswan: 2.4.15
> 
>     I have three different internal subnets each of them in it''s
own zone.
> 
>     I have a problem with two ipsec tunnels,
>     1- First one connecting through vpn2 zone to remote subnet
> 192.168.48.0/24, it connects to the loc53 zone on this firewall, the
> tunnel comes up I can ping the remote 48 network from this firewall and
> also the remote firewall itself.
>     From the remote firewall I can ping this firewall but the local
> system I get destination unreachable
> 
>     2- Second tunnel is on vpn4, the other side is a cisco pix501 this
> tunnel doesn''t come up at all, and I see all2all FORWARD REJECT in
the logs
> 
>     Any help will be appreciated and any more information Im here to
> provide it.
Several things:

a) Always test IPSEC first *without Shorewall* (do ''shorewall
clear'' and
be sure to ''shorewall start'' after the test). Otherwise, you
don''t know
if your connection issues are because of IPSEC or because of Shorewall
or both.

b) Your Shorewall configuration makes absolutely no sense. You seem to
have 20 vpn zones, all defined identically! So when you say ''connecting
through vpn2 zone'', that is nonsense. All IPSEC traffic is
''connecting
through vpn1''.

c) Please consult Shorewall FAQ 17 for information concerning REJECT and
DROP in the FORWARD chain.

d) Given that you are running Shorewall 4, you should really be using
Shorewall-perl rather than Shorewall-shell.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july