From: [EMAIL PROTECTED] [mailto:shorewall-users-
[cut] >Regrettably, with Shorewall 3.2.6, the dump doesn't show the SPD (Security >Policy Database). >So I would like to see the output of "setkey -DP" also. >Here is your log entry: >Shorewall:wan2all:DROP:IN=eth0 OUT=eth0 SRC=192.168.6.91 DST=10.1.0.250 >LEN=106 TOS=0x00 PREC=0x00 TTL=126 ID=46540 PROTO=UDP SPT=1026 DPT=161 >LEN=86 >Note that the above packet does not match rule 2. This means that the >policy match does not consider it to be an unencapsulated IPSEC packet! >I've not seen an IPSEC HUB configuration before so I don't know if this is >normal or not. But the packet *is* matching rule 3 which means that >policy match knows that this packet is going to be encapsulated on the >way out. So the packet is being treated as a wan->vpn packet; that is >why it is being dropped. Tom, Thanks for above explanation - it's impressive. Regarding the version of shorewall I will follow suggestion of Roberto to upgrade to new packages of shorewall. Anyway please also find below result of setkey: fw-wro:~# setkey -DP 192.168.6.0/24[any] 10.1.0.0/24[any] any in ipsec esp/tunnel/195.205.11.34-195.205.101.2/unique#16453 created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2552 seq=1 pid=24325 refcnt=1 10.1.0.0/24[any] 192.168.5.0/24[any] any in ipsec esp/tunnel/195.205.142.34-195.205.101.2/unique#16455 created: Jan 13 14:10:16 2008 lastused: Jan 22 15:26:45 2008 lifetime: 0(s) validtime: 0(s) spid=2576 seq=2 pid=24325 refcnt=1 192.168.10.0/24[any] 192.168.5.0/24[any] any in ipsec esp/tunnel/84.40.238.125-195.205.101.2/unique#16457 created: Jan 13 14:10:16 2008 lastused: Jan 13 16:09:39 2008 lifetime: 0(s) validtime: 0(s) spid=2600 seq=3 pid=24325 refcnt=1 10.1.0.0/24[any] 192.168.6.0/24[any] any in ipsec esp/tunnel/195.205.142.34-195.205.101.2/unique#16459 created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2624 seq=4 pid=24325 refcnt=1 192.168.6.0/24[any] 192.168.5.0/24[any] any in ipsec esp/tunnel/195.205.11.34-195.205.101.2/unique#16461 created: Jan 13 14:10:16 2008 lastused: Jan 22 15:28:31 2008 lifetime: 0(s) validtime: 0(s) spid=2648 seq=5 pid=24325 refcnt=1 10.1.0.0/24[any] 192.168.6.0/24[any] any out ipsec esp/tunnel/195.205.101.2-195.205.11.34/unique#16452 created: Jan 13 14:10:16 2008 lastused: Jan 21 16:59:01 2008 lifetime: 0(s) validtime: 0(s) spid=2545 seq=6 pid=24325 refcnt=1 192.168.5.0/24[any] 10.1.0.0/24[any] any out ipsec esp/tunnel/195.205.101.2-195.205.142.34/unique#16454 created: Jan 13 14:10:16 2008 lastused: Jan 22 15:25:51 2008 lifetime: 0(s) validtime: 0(s) spid=2569 seq=7 pid=24325 refcnt=1 192.168.5.0/24[any] 192.168.10.0/24[any] any out ipsec esp/tunnel/195.205.101.2-84.40.238.125/unique#16456 created: Jan 13 14:10:16 2008 lastused: Jan 22 23:48:17 2008 lifetime: 0(s) validtime: 0(s) spid=2593 seq=8 pid=24325 refcnt=3 192.168.6.0/24[any] 10.1.0.0/24[any] any out ipsec esp/tunnel/195.205.101.2-195.205.142.34/unique#16458 created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008 lifetime: 0(s) validtime: 0(s) spid=2617 seq=9 pid=24325 refcnt=1 192.168.5.0/24[any] 192.168.6.0/24[any] any out ipsec esp/tunnel/195.205.101.2-195.205.11.34/unique#16460 created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008 lifetime: 0(s) validtime: 0(s) spid=2641 seq=10 pid=24325 refcnt=1 192.168.6.0/24[any] 10.1.0.0/24[any] any fwd ipsec esp/tunnel/195.205.11.34-195.205.101.2/require created: Jan 13 14:10:16 2008 lastused: Jan 22 21:37:06 2008 lifetime: 0(s) validtime: 0(s) spid=2562 seq=11 pid=24325 refcnt=1 10.1.0.0/24[any] 192.168.5.0/24[any] any fwd ipsec esp/tunnel/195.205.142.34-195.205.101.2/require created: Jan 13 14:10:16 2008 lastused: Jan 21 11:19:03 2008 lifetime: 0(s) validtime: 0(s) spid=2586 seq=12 pid=24325 refcnt=1 192.168.10.0/24[any] 192.168.5.0/24[any] any fwd ipsec esp/tunnel/84.40.238.125-195.205.101.2/require created: Jan 13 14:10:16 2008 lastused: Jan 22 23:48:17 2008 lifetime: 0(s) validtime: 0(s) spid=2610 seq=13 pid=24325 refcnt=3 10.1.0.0/24[any] 192.168.6.0/24[any] any fwd ipsec esp/tunnel/195.205.142.34-195.205.101.2/require created: Jan 13 14:10:16 2008 lastused: Jan 21 16:59:01 2008 lifetime: 0(s) validtime: 0(s) spid=2634 seq=14 pid=24325 refcnt=1 192.168.6.0/24[any] 192.168.5.0/24[any] any fwd ipsec esp/tunnel/195.205.11.34-195.205.101.2/require created: Jan 13 14:10:16 2008 lastused: Jan 22 20:37:10 2008 lifetime: 0(s) validtime: 0(s) spid=2658 seq=15 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2747 seq=16 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2731 seq=17 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2715 seq=18 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2699 seq=19 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: Jan 22 23:25:39 2008 lifetime: 0(s) validtime: 0(s) spid=2683 seq=20 pid=24325 refcnt=1 (per-socket policy) in none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2667 seq=21 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2756 seq=22 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2740 seq=23 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2724 seq=24 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2708 seq=25 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: Jan 22 23:24:30 2008 lifetime: 0(s) validtime: 0(s) spid=2692 seq=26 pid=24325 refcnt=1 (per-socket policy) out none created: Jan 13 14:10:16 2008 lastused: lifetime: 0(s) validtime: 0(s) spid=2676 seq=0 pid=24325 refcnt=1 Rgds, Lukasz -- Lukasz Spaleniak GCM dpu s: a--- C++ UL++++ P+ L+++ E--- W+ N+ K- w O- M V- PGP t--- 5 X+ R- tv-- b DI- D- G e-- h! r y+ ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users