Sergio A. Kessler wrote: > hi tom, > > Tom Eastep wrote: >> Sergio A. Kessler wrote: >> >>> I also tried with: >>> # cat /etc/shorewall/masq >>> ############################################################################### >>> #INTERFACE SUBNET ADDRESS PROTO PORT(S) >>> IPSEC >>> eth0 eth1 $EXT_SALIDA >>> eth0 eth3 $EXT_SALIDA >>> eth0 eth1 $EXT_VPN 47 >>> >>> but the problem remains, >>> the protocol 47 is not being SNAT'ed with the correct external IP. >> Try putting the GRE entry first -- in /etc/shorewall/masq, the first match is >> the one that is used. > > yes !! it worked ! > thanks tom ! > > anyway, I'm still wondering why the rule -- in /etc/shorewall/rules > > DNAT ext dmz:$DMZ_VPN 47 - - $EXT_VPN > > is not working as I expected...
It is working exactly as you *should* expect. The problem is that the server is sending GRE packets before the client. Normally, that is not a problem because all outbound traffic is SNATed through the same IP address. In your case, you want it to get a different source IP from other traffic -- so you must include the entry in /etc/shorewall/masq to make that work. If you load the kernel pptp helper modules (ipt_conntract_pptp and ipt_nat_pptp), you won't need the masq entry (or that's my understanding -- I haven't tried it). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
