Re: [Shorewall-users] shorewall + ipsec openswan

Mon, 18 Dec 2006 10:24:07 -0800 

Tom Eastep wrote:
> lpa du morvan wrote:
>> Hi
>>
>> I use shorewall 3.2.5 + ipsec (openswan 2.4.5) +fc6
>>
>> I have used the method in http://www.shorewall.net/IPSEC.html for the
>> configuration.
>> (but not this method in http://www.shorewall.net/IPSEC-2.6.html !)
> 
>> but when client-lan1 will ping client-lan2 shorewall-lan1 say:
>> FORWARD:REJECT:IN=eth0 OUT=eth5 SRC=191.168.2.10 DST=10.71.60.6
>>
>> 191.168.2.10 is client-lan1
>>
>> 10.71.60.6 is client-lan2
>>
> 
> From your "shorewall dump"
> 
> Shorewall has detected the following iptables/netfilter capabilities:
>    NAT: Available
>    Packet Mangling: Available
>    Multi-port Match: Available
>    Extended Multi-port Match: Available
>    Connection Tracking Match: Available
>    Packet Type Match: Available
>    Policy Match: Available
> 
> When your kernel and iptables support Policy Match, you MUST use the setup
> described at http://www.shorewall.net/IPSEC-2.6.html

A couple of more things:

a) In the current development release (3.3.6), if you don't define any 'ipsec'
zones or host entries then Shorewall will not use policy match. So with that
version, you can use the http://www.shorewall.net/IPSEC.html instructions even
if you have policy match support.

b) You can disable policy match by renaming the iptables policy match module.
The iptables modules are usually found in /lib/iptables/ or /usr/lib/iptables/.
You can simply rename the libipt_policy.so file to libipt_foo.so.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to