similar to: IPSEC-Netfilter patch for 2.6.10

The patches may be found at: http://shorewall.net/pub/shorewall/contrib/IPSEC ftp://shorewall.net/pub/shorewall/contrib/IPSEC I found these patches on the netfilter-devel list and make no warranties as to how well they work (or not). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP

FYI... ---------- Forwarded Message ---------- Subject: RE: [Shorewall-users] 2.6 kernel ipsec and shorewall Date: Thursday 23 September 2004 07:44 From: "Jonathan Schneider" <jon@clearconcepts.ca> To: "''Tom Eastep''" <teastep@shorewall.net> I must have been up too late working on this, looking at it the next day I noticed I completely forgot

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello! > > > Machine A > WAN IP: 123.123.123.111 > LAN IP: 192.168.177.1 > > > Machine A wants to connect through an IPsec tunnel to 192.168.176.2 tcp 110 (pop3). > > kernel: Shorewall:all2all:REJECT: > IN= OUT=ppp0 SRC=123.123.123.111 DST=192.168.176.2 > LEN=60 TOS=0x10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

http://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 ftp://shorewall.net/pub/shorewall/2.2-Beta/shorewall-2.2.0-Beta2 Problems Corrected: 1. The "shorewall check" command results in the (harmless) error message: /usr/share/shorewall/firewall: line 2753: check_dupliate_zones: command not found 2. The

I''ve successfully tested an IPSEC Roadwarrior configuration where both the gateway and the roadwarrior are runniing 2.6 with Racoon. The Shorewall IPSEC-2.6 documentation (http://shorewall.net/IPSEC.htm) has been updated to reflect my experimentation. Note that you can get the new ''ipsecvpn'' script from CVS until I release RC1 in the next day or so. -Tom -- Tom

I am engaged in a discussion on the Netfilter development list about Netfilter and IPSEC in the 2.6 kernels. There is uniform agreement that the current implementation is unacceptable and a design for an improved facility is emerging. Until that design is implemented and available, I will not be doing anything more in Shorewall to accommodate the current implementation. -Tom -- Tom Eastep

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > > #--- file: policy --- > #vpn policies: > loc vpn ACCEPT info > fw vpn ACCEPT info > vpn loc ACCEPT info > vpn fw ACCEPT info > > net

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I announced earlier, I''m on vacation this week and we are spending the week at our second home. Before I left, I simulated an IPSEC tunnel between this house and our home in the Seattle area and I''m pleased to announce that the real tunnel works flawlessly. So I believe that I have done all of the testing that I can on the new

While I have concentrated on support for 2.6 native IPSEC in release 2.2.0, I am still of the opinion that unless you absolutely need IPSEC compatibility that OpenVPN is a much easier (and in the case of roadwarriors, a much better) solution. Having already generated all of the required X.509 certificates, it took me less than 1/2 hr to replace my IPSEC testbed with an OpenVPN one using the new

Magnus Hyllander wrote: > > I guess what I''m wondering is, how does Shorewall (netfilter) know which > zone a certain road warrior belongs to? I''ve just completed getting dynamic zones working with ipsec again. A dynamic IPSEC zone is defined in /etc/shorewall/zones by following the short name (first column) with ":ipsec". The code is in CVS. There are a

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > I am using kernel 2.6.6 native ipsec with racoon and shorewall 2.1.9 > in production for one week now. I just want to tell you that it seems > to run stable here. > > I am going to extend my setup to a 3 gateway setup soon. > Afterwards I will try to also get roadwarriors in. > I will report on that

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have been testing the new IPSEC 2.6 kernel support this morning using transport mode over a wireless link. I have discovered one bug which is corrected in the file at: ftp://shorewall.net/pub/shorewall/errata/2.1.3/firewall - -Tom - -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net

Unpatched 2.6.10 kernels are apparently broken WRT TCP connection tracking. Established connections that are ended with an RST are not removed from the conntrack table. See: http://lists.netfilter.org/pipermail/netfilter-devel/2005-January/017956.html -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \

Jason Wohlford wrote: > > linux:/etc/shorewall# shorewall check > /sbin/shorewall: line 261: Added: command not found > Loading /usr/share/shorewall/functions... > Processing /etc/shorewall/params ... > Processing /etc/shorewall/shorewall.conf... > /usr/share/shorewall/firewall: line 261: Added: command not found BTW -- it looks like you have a missing "#" on a

http://shorewall.net/pub/shorewall/2.1/shorewall-2.1.3 ftp://shorewall.net/pub/shorewall/2.1/shorewall-2.1.3 This version includes my first cut at IPSEC support for 2.6 Kernels with the new policy match facility. That facility must be installed using patch-o-matic-ng as described on the Netfilter site. I''m anticipating that the facility will be part of standard kernels by the time

-- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key

FYI This bug will prevent ''shorewall restore'' from working if you have "!<single IP address>" in the ORIGINAL DEST column. -Tom ---------- Forwarded Message ---------- Subject: [PATCH] Another iptables-save buglet Date: Wednesday 14 September 2005 15:09 From: Tom Eastep <teastep@shorewall.net> To: netfilter-devel@lists.netfilter.org The conntrack

Just to close this thread... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key