Displaying 20 results from an estimated 2000 matches similar to: "Multi-Hop VPN Issue looking for Solutions"
2004 Dec 30
19
OpenVPN tun Interface
I have a zone "rw" defined as tun0 in interfaces.
From that zone, pings to zone "loc" succeed but pings to remote
networks (On IPsec VPNs) are rejected in the all2all chain. From my
point of view, these pings should be in the rw2cctc chain. (rw to cctc
is ACCEPTed in policy.)
I must have a hole in my config, where would it be?
Thanks,
A.
2005 Feb 07
9
Zoning Out
I''m getting my zones confused. Help.
I need to have a bunch of systems using OpenVPN to gain an IP in the
virtual subnet 10.100.1.0/24, on interface tun0.
I will then route whole subnets to those IPs, like 10.100.2.0/24 via
10.100.1.12, etc.
I want to have a policy for:
- all hosts behind tun0
- all hosts in 10.100.1.0/24
- individual subnets being routed through IPs in
2005 Feb 03
8
SMB Problem
I''m having a problem where transferring files accross our IPsec gateway
to another host on a remote network is failing. I see no packets being
rejected in the logs.
Attached is a packet trace, showing the problem. In this case,
10.100.0.0/24 is the local network and 10.100.14.0/24 is the remote
network. The trace was taken on the local gateway.
In the trace, there is a set of TCP
2012 Jan 16
4
conntrack entries established before nat
Typically (or at least somewhat occasionally) after a reboot of my
shorewall[-lite] machine I find that I end up with conntrack table
entries for unNATted connections such as:
# conntrack -L -p udp --dport 5060 -d 99.232.11.14
udp 17 59 src=10.75.22.8 dst=99.232.11.14 sport=5060 dport=5060 packets=5472 bytes=3031488 [UNREPLIED] src=99.232.11.14 dst=10.75.22.8 sport=5060 dport=5060 packets=0
2006 Aug 04
4
policy ordering when mixing interface zones and host defined zones
Running shorewall 3.0.6, Linux 2.6.16, iptables 1.3.0.
This firewall has eth1 facing the DMZ and eth0 is a 802.1q trunk
with 6 VLANs and zones on it. I would like to allow one subnet
living out beyond the DMZ to have access to all zones on this firewall.
It seemed that creating a zone would allow for this to be done cleanly via
a line in the policy file. I defined this special subnet as the
2017 Jan 13
2
Firewall rules for TINC server
Hi to all.
I've setup a Tinc VPN for a bunch of nodes divided in two groups:
Group 1:
IP Range 10.100.0.2 to 10.100.127.255
Group 2:
IP Range 10.100.128.1 to 10.100.255.255
Server IP: 10.100.0.1
Every client connects only to the server.
In the server I have the following tinc.conf:
Name = server
AddressFamily = ipv4
Interface = tun0
TunnelServer = yes
Forwarding = kernel
ListenAddress =
2007 Jul 06
8
interop with strongswan / ipsec
I see support in shorewall for the KAME-tools, how about strongswan ?
I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my
vpn-gateway for the subnet behind it.
# Shorewall version 3.4 - Zones File
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
fil ipsec mode=tunnel mss=1400
net ipv4
2017 Feb 14
2
LocalDiscovery flip flopping and network design tips
Hang on a second. I've just re-read your original message and I
believe you are confused about what the "Subnet" option does. Again,
it deals with addresses *inside* the VPN. In the configuration you
posted you seem to be using 10.240.0.4 and 10.240.0.5 as internal
addresses, but then your other statements (and especially your dump
edges output) seem to indicate that 10.240.0.4 and
2006 Mar 02
7
Problem with duplicate route entry
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello!
I have a problem with a duplicate route entry, when using a pre-installed route
and automatic take-over by the "heartbeat" daemon, which adds an address and
the kernel adds an route automatically.
Maybe anyone has an explanation...
> ip addr
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
inet 127.0.0.1/8 scope host lo
2007 Dec 06
3
HTB performance improvement
HTB performance improvement
Hi all !
i''m looking at the performance of the HTB algorithm/implementation because i would like more packets/sec !!
this is the scenario of the performance test:
i''m using an embedded system with:
SPEED CPU: 399,999 MHz
RAM: 128 MByte
FLASH: 16 MByte
EEPROM: 8Kbyte
PROCESSOR MPC8272
a lan to lan 10/100 and in particular we are sending
2010 May 23
4
xen4.0 debian vlan config
Hello,
can anybody help me how to configure vlans?
There are vlans:
vlan2
vlan3
vlan30
Server has one nic - eth0.
vlan2 should be dom0 eth0(peth0) for management
Each vlan3 and vlan30 should be has its own bridge.
How to make it?
Br
Peter
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
2005 Jan 01
2
htb bridge problem, please chceck my config
hello. i have following setup:
a machine (winChip 200mhz cpu, 32mb ram, linux 2.4.28) acting like a bridge
with
2 interfaces (eth0 - to our ISP, eth1 - to our network)
machine does not have any IP
there is a 802.1q vlan eth0.2
eth0.2 and eth1 are bridged in br0
i have one 4mbit link which i share with my friend, i have 3mbit and he has
1mbit
all our IP addresses are public and we have the
2017 May 11
2
LocalDiscovery flip flopping and network design tips
@Etienne, I understood your explanation about the Subnet being the network
*inside* the VPN, but the following the example
https://www.tinc-vpn.org/examples/proxy-arp/, it seems to have:
Subnet = 192.168.1.0/24
for the office, yet the IP address for the office is 192.168.1.2.
Is that example no longer valid or am I misunderstanding?
On Tue, Feb 14, 2017 at 4:01 PM, James Hartig <james at
2005 Jun 29
5
Dual-ISP Masq
I know this is a FAQ and that it''s been discussed much before, I''m just
looking for a few key things.
I need to setup our gateway so that traffic FROM a range of IPs is sent
out, masqueraded, via a new cable connection.
I''m running 2.6.9.
Am I going to require any of the CONNMARK patches or other patches from
http://www.ssi.bg/~ja/#routes? I''m really not sure
2007 Jul 04
8
VLAN configuration
Hi to the ML.
I''m new to VLAN configuration, and combining it to XEN is a bit difficult.
I want to use VLAN because it''s possible to "arping" from a domU to an
other, and VLAN looks like; the only solution to prevent that.
May be I''m wrong if someone got a solution, I may be interrested. I''ve
also tryed ebtables, but nothing to prevent arp
2004 Dec 08
9
Kernel/iptables question
As suggested here:
http://lists.shorewall.net/pipermail/shorewall-users/2004-October/015097.html
I''ve run:
adam@shrike:~$ /sbin/iptables -m policy --help
iptables v1.2.11
Usage: iptables -[AD] chain rule-specification [options]
iptables -[RI] chain rulenum rule-specification [options]
iptables -D chain rulenum [options]
--snip--
And:
adam@shrike:~$ sudo
2007 Jun 21
5
GRE tunnel
I am trying to setup GRE between two CentOS 4.5 boxes. I have tried
several variations of what''s listed below, but none of them work.
box1:
modprobe ip_gre
ip link set gre0 up
ip tunnel add gretun mode gre local 66.1.1.161 remote 66.1.2.161 ttl 20 dev
eth0
ip addr add dev gretun 10.253.253.1 peer 10.253.253.2/24
ip link set dev gretun up
ip route add 10.2.0.0/16 via 10.253.253.2
box2:
2005 Feb 05
13
Problem while trying to set up an ipsec vpn
Hi,
I''m asking my question here, because I could not find any answer to my
problem, but I''m affraid shorewall is not the one to blame.
First of all I''m using shorewall version 2.0.15 on two linux box.
I set up an ipsec tunnel beetween those 2 boxes to be ables to connect
2 not routable subnetworks.
Here is my network topology:
10.66.17.0/24 - 10.66.17.1 = eth0
2003 Dec 12
3
SIPURA Breaches Contract
Hi list,
Well I really didn't want to see things get to this point,
but Sherman at Sipura along with their President Jan F.
leave me no other choice.
SIPURA has been provided a letter from our attorney for
Breach of Contract and damages. They have yet to respond.
A quick background.
1. Sherman (SIPURA's Director of Marketing), stated that
we would do a join press release for the Oct
2004 Nov 17
20
Some DNAT''s work, some don''t
We''ve just upgraded to a new firewall machine, and a new version of
Shorewall. We''re now on 2.04; previous version was 1.3.9b (!). So I''m
pretty sure whatever problems we''re having are related to the big
version jump.
We''re using config files that exactly match our old (working)
configuration (IOW, these are things which _were_ working on the old