one additional info
if i ping from a lanclient (location a) to firewall (location b) i get
this:
firewall a:
Feb 23 15:08:08 fw kernel: Shorewall:loc2vpnka:ACCEPT:IN=eth0 OUT=eth2
SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=42595 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=31232
firewall b:
Feb 23 15:08:08 fw kernel: Shorewall:INPUT:DROP:IN=dsl0 OUT= MAC=
SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=51126 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33280
policy allows
vpn <=> loc
vpn <=> fw
[EMAIL PROTECTED] schrieb am 23.02.2007
13:48:43:
>
> hi list,
>
> i have a problem to create a ipsec connection.
>
> here my description
> i have two locations with shorewall (3.2.9) firewalls.
> location a: 172.31.0.0/20 - suse10.2 - kernel 2.6.18.2-34-
> default - Policy Match: Available - eth2=wan - eth0=lan
>
> location b: 172.31.16.0/20 - suse 10.0 - kernel 2.6.13-15.13-default
> - Policy Match: Available - dsl0=wan - eth1=lan
>
> so far they both work fine. now i want to connect them by ipsec.
> i configured racoon
> in /var/log/messages i can see 2 lines
> Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established:
> ESP/Tunnel 213.23.xxx.xxx[0]->87.139.xxx.xxx[0] spi=6115338(0x5d500a)
> Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established:
> ESP/Tunnel 87.139.xxx.xxx[0]->213.23.xxx.xx[0] spi=152085169(0x910a2b1)
>
>
> in shorewall i useded this config:
>
> /etc/shorewall/tunnels
> a:
> ipsec net 87.139.xxx.xxx
> b:
> ipsec net 213.23.xxx.xxx
>
>
> /etc/shorewall/zones
> a:
> vpnb ipv4
> net ipv4
> fw firewall
> loc ipv4
> b:
> vpna ipv4
> net ipv4
> fw firewall
> loc ipv4
>
> /etc/shorewall/hosts
> a:
> vpnb eth2:172.31.0.0/20,87.139.xxx.xxx ipsec
> b:
> vpna dsl0:172.31.16.0/20,213.23.xxx.xxx ipsec
>
> /etc/shorewall/masq
> a:
> eth2 eth0
> b:
> dsl0 eth1
>
>
> if i ping from a lanclient (location a) to a lanclient (location b)
> i get this:
>
> Feb 23 13:09:31 fw kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth2
> SRC=172.31.10.2 DST=172.31.29.13 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=9068 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27136
>
>
>
> what is wrong here?
>
> kind regards
> peter
>
>
-------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
