On Saturday 15 February 2003 11:08 am, [EMAIL PROTECTED] wrote:
> Charles,
>
> I am not sure how to get the net ipfilter list output to my windows
> machine for adding to email.
Per the 'SR FAQ' linked at the bottom of every post from the list:
svi net ipfilter list >some_temp_file_name.txt
transport on a floppy (other than the LEAF one) or whatever other means
you might have on the LEAF box (SSH, etc...).
> I did capture the output from the logs displayed by weblet. They are
> pasted in below.
>
>
> 1 10:53:34.490 02/15/03 Sev=Warning/2 IKE/0xE300007B
> Exceeded 3 IKE SA negotiation retransmits... peer is not responding
>
> 2 10:53:34.550 02/15/03 Sev=Warning/3 DIALER/0xE3300015
> GI VPN start callback failed "CM_PEER_NOT_RESPONDING" (16h).
Where exactly is this error coming from?
Not the LEAF box, correct!
> IP masquerading entries
> prot expire source destination ports
> udp 1:24.01 192.168.1.3 149.2.141.5 500 -> 500 (500)
Looks like you have initiated an ipsec connection to the host 149.2.141.5
that you have initiated.
> Chain input (policy DENY: 38 packets, 3910 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 0 0 ACCEPT udp ------ 0xFF 0x00
> eth0 0.0.0.0/0
> 0.0.0.0/0 * -> 500
The rule is good, however you have received '0' packets
from your remote ipsec server. The remote server has not
returned your request for a connection.
This is what you are missing... the auth protocols that should look
like this on your IN chain:
0 0 ACCEPT 50 ------ 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
0 0 ACCEPT 51 ------ 0xFF 0x00 eth0
0.0.0.0 0.0.0.0/0 n/a
This is likely your problem, and I have sent you the exact rule
I used on my Dachstein box to enable this.
> Chain forward (policy DENY: 0 packets, 0 bytes):
> pkts bytes target prot opt tosa tosx ifname mark
> outsize source destination ports
> 8 4680 MASQ udp ------ 0xFF 0x00
> * 192.168.1.3
> 0.0.0.0/0 500 -> *
Good, 8 packets here. This is the request for a connection that you
have sent.
Chain portfw ????
> prot localaddr rediraddr lport rport pcnt
> pref
> UDP 12.237.136.59 192.168.1.3 500 500
> 10 10
The redirect of ipsec information from your external ip address to
your LAN machine.
> Installed Modules:
> ip_masq_portfw 2416 1
> ip_masq_ipsec 7328 1
Good, portfw'ding is enabled.
###### Summary #####
It should work when you add the rule:
# Generic Services open to outside world
# Space seperated list: protocol_srcip/mask_dstport
EXTERN_PORTS="50_0.0.0.0 51_0.0.0.0"
# -or-
# Indexed list: "Protocol SrcAddr/Mask [ DestAddr[/DestMask] ]"
#EXTERN_PROTO0="50 0.0.0.0"
#EXTERN_PROTO1="51 0.0.0.0"
I hope this helps!
--
~Lynn Avants
Linux Embedded Appliance Firewall developer
http://leaf.sourceforge.net
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
