From: [EMAIL PROTECTED] [mailto:shorewall-users-
[cut]
>Regrettably, with Shorewall 3.2.6, the dump doesn't show the SPD (Security
>Policy Database).
>So I would like to see the output of "setkey -DP" also.
>Here is your log entry:
>Shorewall:wan2all:DROP:IN=eth0 OUT=eth0 SRC=192.168.6.91 DST=10.1.0.250
>LEN=106 TOS=0x00 PREC=0x00 TTL=126 ID=46540 PROTO=UDP SPT=1026 DPT=161
>LEN=86
>Note that the above packet does not match rule 2. This means that the
>policy match does not consider it to be an unencapsulated IPSEC packet!
>I've not seen an IPSEC HUB configuration before so I don't know if this is
>normal or not. But the packet *is* matching rule 3 which means that
>policy match knows that this packet is going to be encapsulated on the
>way out. So the packet is being treated as a wan->vpn packet; that is
>why it is being dropped.
Tom,
Thanks for above explanation - it's impressive. Regarding the version of
shorewall I will follow suggestion of Roberto to upgrade to new packages of
shorewall. Anyway please also find below result of setkey:
fw-wro:~# setkey -DP
192.168.6.0/24[any] 10.1.0.0/24[any] any
in ipsec
esp/tunnel/195.205.11.34-195.205.101.2/unique#16453
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2552 seq=1 pid=24325
refcnt=1
10.1.0.0/24[any] 192.168.5.0/24[any] any
in ipsec
esp/tunnel/195.205.142.34-195.205.101.2/unique#16455
created: Jan 13 14:10:16 2008 lastused: Jan 22 15:26:45 2008
lifetime: 0(s) validtime: 0(s)
spid=2576 seq=2 pid=24325
refcnt=1
192.168.10.0/24[any] 192.168.5.0/24[any] any
in ipsec
esp/tunnel/84.40.238.125-195.205.101.2/unique#16457
created: Jan 13 14:10:16 2008 lastused: Jan 13 16:09:39 2008
lifetime: 0(s) validtime: 0(s)
spid=2600 seq=3 pid=24325
refcnt=1
10.1.0.0/24[any] 192.168.6.0/24[any] any
in ipsec
esp/tunnel/195.205.142.34-195.205.101.2/unique#16459
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2624 seq=4 pid=24325
refcnt=1
192.168.6.0/24[any] 192.168.5.0/24[any] any
in ipsec
esp/tunnel/195.205.11.34-195.205.101.2/unique#16461
created: Jan 13 14:10:16 2008 lastused: Jan 22 15:28:31 2008
lifetime: 0(s) validtime: 0(s)
spid=2648 seq=5 pid=24325
refcnt=1
10.1.0.0/24[any] 192.168.6.0/24[any] any
out ipsec
esp/tunnel/195.205.101.2-195.205.11.34/unique#16452
created: Jan 13 14:10:16 2008 lastused: Jan 21 16:59:01 2008
lifetime: 0(s) validtime: 0(s)
spid=2545 seq=6 pid=24325
refcnt=1
192.168.5.0/24[any] 10.1.0.0/24[any] any
out ipsec
esp/tunnel/195.205.101.2-195.205.142.34/unique#16454
created: Jan 13 14:10:16 2008 lastused: Jan 22 15:25:51 2008
lifetime: 0(s) validtime: 0(s)
spid=2569 seq=7 pid=24325
refcnt=1
192.168.5.0/24[any] 192.168.10.0/24[any] any
out ipsec
esp/tunnel/195.205.101.2-84.40.238.125/unique#16456
created: Jan 13 14:10:16 2008 lastused: Jan 22 23:48:17 2008
lifetime: 0(s) validtime: 0(s)
spid=2593 seq=8 pid=24325
refcnt=3
192.168.6.0/24[any] 10.1.0.0/24[any] any
out ipsec
esp/tunnel/195.205.101.2-195.205.142.34/unique#16458
created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008
lifetime: 0(s) validtime: 0(s)
spid=2617 seq=9 pid=24325
refcnt=1
192.168.5.0/24[any] 192.168.6.0/24[any] any
out ipsec
esp/tunnel/195.205.101.2-195.205.11.34/unique#16460
created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008
lifetime: 0(s) validtime: 0(s)
spid=2641 seq=10 pid=24325
refcnt=1
192.168.6.0/24[any] 10.1.0.0/24[any] any
fwd ipsec
esp/tunnel/195.205.11.34-195.205.101.2/require
created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008
lifetime: 0(s) validtime: 0(s)
spid=2562 seq=11 pid=24325
refcnt=1
10.1.0.0/24[any] 192.168.5.0/24[any] any
fwd ipsec
esp/tunnel/195.205.142.34-195.205.101.2/require
created: Jan 13 14:10:16 2008 lastused: Jan 21 11:19:03 2008
lifetime: 0(s) validtime: 0(s)
spid=2586 seq=12 pid=24325
refcnt=1
192.168.10.0/24[any] 192.168.5.0/24[any] any
fwd ipsec
esp/tunnel/84.40.238.125-195.205.101.2/require
created: Jan 13 14:10:16 2008 lastused: Jan 22 23:48:17 2008
lifetime: 0(s) validtime: 0(s)
spid=2610 seq=13 pid=24325
refcnt=3
10.1.0.0/24[any] 192.168.6.0/24[any] any
fwd ipsec
esp/tunnel/195.205.142.34-195.205.101.2/require
created: Jan 13 14:10:16 2008 lastused: Jan 21 16:59:01 2008
lifetime: 0(s) validtime: 0(s)
spid=2634 seq=14 pid=24325
refcnt=1
192.168.6.0/24[any] 192.168.5.0/24[any] any
fwd ipsec
esp/tunnel/195.205.11.34-195.205.101.2/require
created: Jan 13 14:10:16 2008 lastused: Jan 22 20:37:10 2008
lifetime: 0(s) validtime: 0(s)
spid=2658 seq=15 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2747 seq=16 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2731 seq=17 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2715 seq=18 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2699 seq=19 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused: Jan 22 23:25:39 2008
lifetime: 0(s) validtime: 0(s)
spid=2683 seq=20 pid=24325
refcnt=1
(per-socket policy)
in none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2667 seq=21 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2756 seq=22 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2740 seq=23 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2724 seq=24 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2708 seq=25 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused: Jan 22 23:24:30 2008
lifetime: 0(s) validtime: 0(s)
spid=2692 seq=26 pid=24325
refcnt=1
(per-socket policy)
out none
created: Jan 13 14:10:16 2008 lastused:
lifetime: 0(s) validtime: 0(s)
spid=2676 seq=0 pid=24325
refcnt=1
Rgds,
Lukasz
--
Lukasz Spaleniak
GCM dpu s: a--- C++ UL++++ P+ L+++ E--- W+ N+ K- w O- M V-
PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
