Brian Neu wrote: > Unfortunately, I don't have that option in this environment because the > company has a series of Linksys VPN routers at remote locations > (construction trailers) which sometimes even get moved around. > > Personally, and for other clients, I use OpenVPN everywhere. This case > is different though, and they have a legit reason to stick with this. > > Is there anyway to find out why DNAT of ESP proto gets rejected at the > firewall? > > Here is the dreaded log msg: > > kernel: Shorewall:all2all:REJECT:IN=eth1 OUT= > MAC=00:04:23:d5:30:8f:00:d0:58:a3:70:5b:08:00 SRC=(clientIP) DST=(fwIP) > LEN=152 TOS=0x00 PREC=0x00 TTL=21 ID=1029 PROTO=ESP SPI=0xca69d85a > > But in "rules" I have: > DNAT net jgi:(internalOpenSwanIP) esp - > - (fwIP) > > > > So that part alone is throwing me more than anything right now. > > Even crazier is that it was working last night for a little while and > the ESP reject msgs stopped. Now they pop up every couple seconds and > things aren't working.
We're shooting totally in the dark here. Is 'eth1' your net interface or a local one? The reason I ask is that most people at least have a 'net->all' policy which would log policy drops from the 'net' zone out of a chain named 'net2all' whereas the above is being logged from 'all2all'. As Paul Gear advises frequently on this list and elsewhere, you get much more helpful information from your log if you define the entire zone-x-zone matrix in your /etc/shorewall/policy file. I would really like to see the information requested at http://www.shorewall.net/support.htm#Guidelines. And please don't obfuscate the information -- IP addresses aren't state secrets. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
