sorry for the inconvenience i caused, i found the error.
in both the /etc/shorewall/hosts i mixed the lan-ips.
now everything works fine.
shorewall is great! :-)
[EMAIL PROTECTED] schrieb am 23.02.2007
15:31:04:
>
> one additional info
>
> if i ping from a lanclient (location a) to firewall (location b) i get
this:
>
> firewall a:
> Feb 23 15:08:08 fw kernel: Shorewall:loc2vpnka:ACCEPT:IN=eth0
> OUT=eth2 SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00
> PREC=0x00 TTL=127 ID=42595 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=31232
>
> firewall b:
> Feb 23 15:08:08 fw kernel: Shorewall:INPUT:DROP:IN=dsl0 OUT= MAC=
> SRC=172.31.10.2 DST=87.139.xxx.xxx LEN=60 TOS=0x00 PREC=0x00 TTL=127
> ID=51126 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=33280
>
> policy allows
> vpn <=> loc
> vpn <=> fw
>
>
>
> [EMAIL PROTECTED] schrieb am 23.02.2007
13:48:43:
>
> >
> > hi list,
> >
> > i have a problem to create a ipsec connection.
> >
> > here my description
> > i have two locations with shorewall (3.2.9) firewalls.
> > location a: 172.31.0.0/20 - suse10.2 - kernel 2.6.18.2-34-
> > default - Policy Match: Available - eth2=wan - eth0=lan
> >
> > location b: 172.31.16.0/20 - suse 10.0 - kernel 2.6.13-15.13-default
> > - Policy Match: Available - dsl0=wan - eth1=lan
> >
> > so far they both work fine. now i want to connect them by ipsec.
> > i configured racoon
> > in /var/log/messages i can see 2 lines
> > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established:
> > ESP/Tunnel 213.23.xxx.xxx[0]->87.139.xxx.xxx[0] spi=6115338(0x5d500a)
> > Feb 23 12:11:46 fw racoon: INFO: IPsec-SA established:
> > ESP/Tunnel 87.139.xxx.xxx[0]->213.23.xxx.xx[0]
spi=152085169(0x910a2b1)
> >
> >
> > in shorewall i useded this config:
> >
> > /etc/shorewall/tunnels
> > a:
> > ipsec net 87.139.xxx.xxx
> > b:
> > ipsec net 213.23.xxx.xxx
> >
> >
> > /etc/shorewall/zones
> > a:
> > vpnb ipv4
> > net ipv4
> > fw firewall
> > loc ipv4
> > b:
> > vpna ipv4
> > net ipv4
> > fw firewall
> > loc ipv4
> >
> > /etc/shorewall/hosts
> > a:
> > vpnb eth2:172.31.0.0/20,87.139.xxx.xxx ipsec
> > b:
> > vpna dsl0:172.31.16.0/20,213.23.xxx.xxx ipsec
> >
> > /etc/shorewall/masq
> > a:
> > eth2 eth0
> > b:
> > dsl0 eth1
> >
> >
> > if i ping from a lanclient (location a) to a lanclient (location b)
> > i get this:
> >
> > Feb 23 13:09:31 fw kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth2
> > SRC=172.31.10.2 DST=172.31.29.13 LEN=60 TOS=0x00 PREC=0x00 TTL=127
> > ID=9068 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27136
> >
> >
> >
> > what is wrong here?
> >
> > kind regards
> > peter
> >
> >
-------------------------------------------------------------------------
> > Take Surveys. Earn Cash. Influence the Future of IT
> > Join SourceForge.net's Techsay panel and you'll get the chance to
share your
> > opinions on IT & business topics through brief surveys-and earn cash
> >
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> > _______________________________________________
> > Shorewall-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
-------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
