On 9/5/10 11:03 AM, Boris wrote: > Hej all, > > > I know there are shorewall gurus inside here and my appliance is absed > on leaf, so I'm going to ask the following here in this list: > > I have a leaf box (R1) that is openvpn (tun0) client (on non-standard > port 1195) to another leaf box (R2). On R1 there is also a openvpn > server (tun1) running (on standard port 1194). There are networks behind > those routers (N1 and N2). They are full transparent through the tun0. > > When I connect to R1 with a roadwarrior through tun1, I can ping N1 but > not N2. From shorewall log I get this: > > Sep 5 17:51:21 nordgate2 Shorewall:FORWARD:REJECT: IN=tun0 OUT=tun1 > MAC= SRC=10.9.1.6 DST=192.168.22.101 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 > DF PROTO=ICMP TYPE=8 CODE=0 ID=46350 SEQ=1 > > (I might have switched tun0 and tun1 in this description). I cannot > allow the traffic between the two tunnels because I don't have separate > zones for them. In /etc/shorewall/zones there is > vpn tun+
No -- that is in /etc/shorewall/interfaces :-) > > > This seems allright, because tun0 and tun1 are definded dynamically. > > So: How to handle?? > Add the 'routeback' option to that entry. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd
------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
