similar to: ipsec-netfilter patches for 2.6.9

I am considering replacing my old checkpoint and watchguard firewalls witha single Linux box using iptables and shorewall. I have two ISP''s (with separate routing tables), two DMZ''s, at least one VPN to a remote office, and a local trusted network. The configuration will look like: +----------------+ | | net0 ----------+ eth1

I set up an ipsec/racoon vpn tunnel test environment. The gateway machines are 192.168.0.30 and 192.168.0.31 on the external adaptor and 10.0.1.1 and 10.0.2.1 internally. The test workstations are 10.0.1.10 and 10.0.2.10. The tunnel seems to be working as in 10.0.1.10 can talk to 10.0.2.10 an vice versa and they can both use the net via NAT, however 192.168.0.30 and 192.168.0.31 cannot directly

I''m havign a HUGE amount of difficulty getting shoreline to work with LVS. We use it here constantly so we know it works. The problem is packets come in, get directed to a webserver, webserver returns the packet to firewall, and then it goes into a black hole. rp_filter is off globally on all interfaces. LVS seems to be working right.... I use shorewall tcrules to mark packets on

I have problems connecting IPSEC VPN clients on the masqueraded network to outside VPN servers. It looks like this: ipsec-user | 192.168.1.10 (DHCP assigned) | | 192.168.1.1 fw-1 (shorewall, Linux 2.6) | 20.20.20.20 (internet) | 30.30.30.30 fw-2 (IPSEC VPN endpoint) | 192.168.100.1 | | 192.168.100.2 server ipsec-user (a road warrior) is supposed to create an IPSEC tunnel to his home

Dear List! I use a shorewall 2.0.8 on a Debian sarge system. I use a DSL connection to the Internet (ppp0 - eth1 to the modem) and a bridge to the local lan. The bridged config i''ve made with bridge.html from the shorewall site. The Bridge is between local net and a openvpn tap device. This works. I ccan make tunnels, and a can make a lot of things through the firewall. I can get a list

Sat Mar 22 14:16:55 CST 2003 This post is a bit long, but I want to make sure I am providing the information up front that can help in others helping me solve this mystery. I am having a bit of difficulty getting Shorewall to work with SecuRemote and its FW-1 server. I have attached the "rules" file I am using and the output of "shorewall show nat". The diagram below

Hello, Having combed through the changefile from kernel.org it seems to me that policy matching is still not in the 2.6 kernel. Is that a sadly correct statement? Joh

Hi there, can anyone point me to the docs needed to support Tagged Vlans through Shorewall. I might just be blind or my understanding of Tagged Vlans isn''t good enough yet to find it. Axel

I read LinuxFest NW 2005 Presentation pdf. On page 32, mentioned it required patches on kernel 2.6.x and netfilter and It only said that SuSE 9.2 and 9.3 had patches on it''s stock kernel. I''m using Redhat AS 4. Anybody knows does the stock kernel and netfilter had theses patches patched ? or How should I know the kernel and netfilter had these patches applied ? thanks!

Hello ! I have a performance issue with Kernel 2.6.X and policy match support as suggested in http://shorewall.net/IPSEC-2.6.html. My IPSEC performance doesn''t exeed about 30kbyte/sec even if my downlink is 1024kbit/sec and should reach more than 100kbyte/sec. No, its not the cpu''s performance (AMD Barton 2500+) and no it''s not the gateway (CELERON 600 Mhz) on the

Hi, I''m asking my question here, because I could not find any answer to my problem, but I''m affraid shorewall is not the one to blame. First of all I''m using shorewall version 2.0.15 on two linux box. I set up an ipsec tunnel beetween those 2 boxes to be ables to connect 2 not routable subnetworks. Here is my network topology: 10.66.17.0/24 - 10.66.17.1 = eth0

Hello everyone, I''m not sure whether to place my question here or in the racoon mailing list or even in that of iptables. I have created an ipsec connection with racoon in tunnel mode to another gateway to connect one subnet on each side to each other. This works fine. Only the ipsec gateway itself can''t send packages to the opposite subnet. Shorewall is configured according

Hello all -- I am trying to get Shorewall, ipsec and RedHat ES version 3 to cooperate. Before posting any specific problems, I thought I''d find out if I have the right stuff to work with. (I''ve gotten ipsec to work flawlessly with Shorewall using RH 8 and 9 kernels, so I have some experience with it. Shorewall 2.0.12 works fine on this ES 3 box, except for the ipsec part)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 claas@rootdir.de wrote: > Hello, > > > I am trying to get ipsec with kernel 2.6.8.1 and shorewall 2.1.9 running, > but I still have a problem: > > Validating hosts file... > Error: Your kernel and/or iptables does not not support policy match: ipsec > > I had a look for netfilter patch-o-matic, but I did not find the

class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all

class wrote on 06/10/2004 11:18:48: > Hello, I have the following situation: > > 192.168.176.0/24 ------ A ========== B ------ 192.168.177.0/24 > 192.168.176.2 pop3 ipsec > racoon > > > policy: (Machine A and B) > ------- > loc vpn ACCEPT > vpn loc ACCEPT > all

I see support in shorewall for the KAME-tools, how about strongswan ? I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my vpn-gateway for the subnet behind it. # Shorewall version 3.4 - Zones File #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall fil ipsec mode=tunnel mss=1400 net ipv4

hi, there is no support for patch-o-matic netfilter modules. what i have to do if i want to use several patch-o-matic modules? which parts of code has to be changed and will that changed be included into the main shorewall tree in future or not? best regards claus

>From your post on Oct. 4, 2004 >As I announced earlier, I''m on vacation this week and we are spending >the week at our second home. Before I left, I simulated an IPSEC tunnel >between this house and our home in the Seattle area and I''m pleased to >announce that the real tunnel works flawlessly. > >So I believe that I have done all of the testing that I can

Tom, After reading your latest postings, I am correct in understanding that, even with the netfilter-ipsec and policy patches in kernel 2.6, I still would not be able to connect more that one roadwarrior at a time? Mitch