similar to: Bug: New IPSEC support in 2.1.3

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I announced earlier, I''m on vacation this week and we are spending the week at our second home. Before I left, I simulated an IPSEC tunnel between this house and our home in the Seattle area and I''m pleased to announce that the real tunnel works flawlessly. So I believe that I have done all of the testing that I can on the new

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello! > > > Machine A > WAN IP: 123.123.123.111 > LAN IP: 192.168.177.1 > > > Machine A wants to connect through an IPsec tunnel to 192.168.176.2 tcp 110 (pop3). > > kernel: Shorewall:all2all:REJECT: > IN= OUT=ppp0 SRC=123.123.123.111 DST=192.168.176.2 > LEN=60 TOS=0x10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > > #--- file: policy --- > #vpn policies: > loc vpn ACCEPT info > fw vpn ACCEPT info > vpn loc ACCEPT info > vpn fw ACCEPT info > > net

http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.3 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.3 This version includes my first cut at IPSEC support for 2.6 Kernels with the new policy match facility. That facility must be installed using patch-o-matic-ng as described on the Netfilter site. I''m anticipating that the facility will be part of standard kernels by the time

FYI... ---------- Forwarded Message ---------- Subject: RE: [Shorewall-users] 2.6 kernel ipsec and shorewall Date: Thursday 23 September 2004 07:44 From: "Jonathan Schneider" <jon@clearconcepts.ca> To: "''Tom Eastep''" <teastep@shorewall.net> I must have been up too late working on this, looking at it the next day I noticed I completely forgot

A merged patch usable on 2.6.10 has been placed in: http://shorewall.net/pub/shorewall/contrib/IPSEC/ipsec-nat-2.6.10.patch ftp://shorewall.net/pub/shorewall/contrib/IPSEC/ipsec-nat-2.6.10.patch This patch was posted today on the Netfilter Development list -- I have not tested it. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net

I''ve successfully tested an IPSEC Roadwarrior configuration where both the gateway and the roadwarrior are runniing 2.6 with Racoon. The Shorewall IPSEC-2.6 documentation (http://shorewall.net/IPSEC.htm) has been updated to reflect my experimentation. Note that you can get the new ''ipsecvpn'' script from CVS until I release RC1 in the next day or so. -Tom -- Tom

I am engaged in a discussion on the Netfilter development list about Netfilter and IPSEC in the 2.6 kernels. There is uniform agreement that the current implementation is unacceptable and a design for an improved facility is emerging. Until that design is implemented and available, I will not be doing anything more in Shorewall to accommodate the current implementation. -Tom -- Tom Eastep

Just to close this thread... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

The patches may be found at: http://shorewall.net/pub/shorewall/contrib/IPSEC ftp://shorewall.net/pub/shorewall/contrib/IPSEC I found these patches on the netfilter-devel list and make no warranties as to how well they work (or not). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > I am using kernel 2.6.6 native ipsec with racoon and shorewall 2.1.9 > in production for one week now. I just want to tell you that it seems > to run stable here. > > I am going to extend my setup to a 3 gateway setup soon. > Afterwards I will try to also get roadwarriors in. > I will report on that

While I have concentrated on support for 2.6 native IPSEC in release 2.2.0, I am still of the opinion that unless you absolutely need IPSEC compatibility that OpenVPN is a much easier (and in the case of roadwarriors, a much better) solution. Having already generated all of the required X.509 certificates, it took me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one using the new

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.4 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.4 Contains improvements to the support for kernel 2.6 IPSEC. Warning: The Netfilter IPSEC changes that this version of Shorewall depends on do not appear to work properly with bridging. I therefore recommend that you not try ipsec to/from a

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.5 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.5 This completes the implementation of Kernel 2.6 IPSEC support in Shorewall. Documentation is still minimal -- see the releasenotes and http://shorewall.net/IPSEC-2.6.html - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I''ve built a 1.2.9 iptables RPM that corrects the two iptables-save problems that I know about. It is available at: http://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm ftp://shorewall.net/pub/shorewall/iptables/iptables-1.2.9-95.7.i386.rpm I''m using this on SuSe 9.1 -- for other distros, YYMV... This RPM works

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The first beta in the 2.2 series is now available. Download location is: http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta1 The features available in this release and the migration considerations are covered in the release notes. Highlights include: 1. The behavior

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

What do I have to do to pass ipsec traffic through shorewall? I am not using ipsec to create a tunnel, I am using it in transport mode to encrypt communications between specific hosts on my LAN. when the firewall is clear''d traffic works perfectly and i am able to communicate with the hosts i have setup ipsec on, however when i start shorewall i cannot communicate with those hosts