similar to: Multi-Hop VPN Issue looking for Solutions

I have a zone "rw" defined as tun0 in interfaces. From that zone, pings to zone "loc" succeed but pings to remote networks (On IPsec VPNs) are rejected in the all2all chain. From my point of view, these pings should be in the rw2cctc chain. (rw to cctc is ACCEPTed in policy.) I must have a hole in my config, where would it be? Thanks, A.

I''m getting my zones confused. Help. I need to have a bunch of systems using OpenVPN to gain an IP in the virtual subnet 10.100.1.0/24, on interface tun0. I will then route whole subnets to those IPs, like 10.100.2.0/24 via 10.100.1.12, etc. I want to have a policy for: - all hosts behind tun0 - all hosts in 10.100.1.0/24 - individual subnets being routed through IPs in

I''m having a problem where transferring files accross our IPsec gateway to another host on a remote network is failing. I see no packets being rejected in the logs. Attached is a packet trace, showing the problem. In this case, 10.100.0.0/24 is the local network and 10.100.14.0/24 is the remote network. The trace was taken on the local gateway. In the trace, there is a set of TCP

Typically (or at least somewhat occasionally) after a reboot of my shorewall[-lite] machine I find that I end up with conntrack table entries for unNATted connections such as: # conntrack -L -p udp --dport 5060 -d 99.232.11.14 udp 17 59 src=10.75.22.8 dst=99.232.11.14 sport=5060 dport=5060 packets=5472 bytes=3031488 [UNREPLIED] src=99.232.11.14 dst=10.75.22.8 sport=5060 dport=5060 packets=0

Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0. This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk with 6 VLANs and zones on it. I would like to allow one subnet living out beyond the DMZ to have access to all zones on this firewall. It seemed that creating a zone would allow for this to be done cleanly via a line in the policy file. I defined this special subnet as the

Hi to all. I've setup a Tinc VPN for a bunch of nodes divided in two groups: Group 1: IP Range 10.100.0.2 to 10.100.127.255 Group 2: IP Range 10.100.128.1 to 10.100.255.255 Server IP: 10.100.0.1 Every client connects only to the server. In the server I have the following tinc.conf: Name = server AddressFamily = ipv4 Interface = tun0 TunnelServer = yes Forwarding = kernel ListenAddress =

I see support in shorewall for the KAME-tools, how about strongswan ? I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my vpn-gateway for the subnet behind it. # Shorewall version 3.4 - Zones File #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall fil ipsec mode=tunnel mss=1400 net ipv4

Hang on a second. I've just re-read your original message and I believe you are confused about what the "Subnet" option does. Again, it deals with addresses *inside* the VPN. In the configuration you posted you seem to be using 10.240.0.4 and 10.240.0.5 as internal addresses, but then your other statements (and especially your dump edges output) seem to indicate that 10.240.0.4 and

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! I have a problem with a duplicate route entry, when using a pre-installed route and automatic take-over by the "heartbeat" daemon, which adds an address and the kernel adds an route automatically. Maybe anyone has an explanation... > ip addr 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue inet 127.0.0.1/8 scope host lo

HTB performance improvement Hi all ! i''m looking at the performance of the HTB algorithm/implementation because i would like more packets/sec !! this is the scenario of the performance test: i''m using an embedded system with: SPEED CPU: 399,999 MHz RAM: 128 MByte FLASH: 16 MByte EEPROM: 8Kbyte PROCESSOR MPC8272 a lan to lan 10/100 and in particular we are sending

Hello, can anybody help me how to configure vlans? There are vlans: vlan2 vlan3 vlan30 Server has one nic - eth0. vlan2 should be dom0 eth0(peth0) for management Each vlan3 and vlan30 should be has its own bridge. How to make it? Br Peter _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users

hello. i have following setup: a machine (winChip 200mhz cpu, 32mb ram, linux 2.4.28) acting like a bridge with 2 interfaces (eth0 - to our ISP, eth1 - to our network) machine does not have any IP there is a 802.1q vlan eth0.2 eth0.2 and eth1 are bridged in br0 i have one 4mbit link which i share with my friend, i have 3mbit and he has 1mbit all our IP addresses are public and we have the

@Etienne, I understood your explanation about the Subnet being the network *inside* the VPN, but the following the example https://www.tinc-vpn.org/examples/proxy-arp/, it seems to have: Subnet = 192.168.1.0/24 for the office, yet the IP address for the office is 192.168.1.2. Is that example no longer valid or am I misunderstanding? On Tue, Feb 14, 2017 at 4:01 PM, James Hartig <james at

I know this is a FAQ and that it''s been discussed much before, I''m just looking for a few key things. I need to setup our gateway so that traffic FROM a range of IPs is sent out, masqueraded, via a new cable connection. I''m running 2.6.9. Am I going to require any of the CONNMARK patches or other patches from http://www.ssi.bg/~ja/#routes? I''m really not sure

Hi to the ML. I''m new to VLAN configuration, and combining it to XEN is a bit difficult. I want to use VLAN because it''s possible to "arping" from a domU to an other, and VLAN looks like; the only solution to prevent that. May be I''m wrong if someone got a solution, I may be interrested. I''ve also tryed ebtables, but nothing to prevent arp

As suggested here: http://lists.shorewall.net/pipermail/shorewall-users/2004-October/015097.html I''ve run: adam@shrike:~$ /sbin/iptables -m policy --help iptables v1.2.11 Usage: iptables -[AD] chain rule-specification [options] iptables -[RI] chain rulenum rule-specification [options] iptables -D chain rulenum [options] --snip-- And: adam@shrike:~$ sudo

I am trying to setup GRE between two CentOS 4.5 boxes. I have tried several variations of what''s listed below, but none of them work. box1: modprobe ip_gre ip link set gre0 up ip tunnel add gretun mode gre local 66.1.1.161 remote 66.1.2.161 ttl 20 dev eth0 ip addr add dev gretun 10.253.253.1 peer 10.253.253.2/24 ip link set dev gretun up ip route add 10.2.0.0/16 via 10.253.253.2 box2:

Hi, I''m asking my question here, because I could not find any answer to my problem, but I''m affraid shorewall is not the one to blame. First of all I''m using shorewall version 2.0.15 on two linux box. I set up an ipsec tunnel beetween those 2 boxes to be ables to connect 2 not routable subnetworks. Here is my network topology: 10.66.17.0/24 - 10.66.17.1 = eth0

Hi list, Well I really didn't want to see things get to this point, but Sherman at Sipura along with their President Jan F. leave me no other choice. SIPURA has been provided a letter from our attorney for Breach of Contract and damages. They have yet to respond. A quick background. 1. Sherman (SIPURA's Director of Marketing), stated that we would do a join press release for the Oct

We''ve just upgraded to a new firewall machine, and a new version of Shorewall. We''re now on 2.04; previous version was 1.3.9b (!). So I''m pretty sure whatever problems we''re having are related to the big version jump. We''re using config files that exactly match our old (working) configuration (IOW, these are things which _were_ working on the old