Daniel Everett wrote: > I am trying to set up a single PC (no LAN) as a VPN > client, using shorewall and racoon under Debian 4 > (kernel 2.6.18). The PC is connected to a cable modem > on eth0. I am finding that I can not even ping any > addresses on the remote LAN - the trace in > /var/log/messages does not show any communication with > the VPN gateway when I attempt it. > > No errors are reported on during the start up of > shorewall. Running "shorewall show messages" gives the > error: > > iptables: No chain/target/match by that name
Shorewall has no 'show messages' command. Did you possibly want 'shorewall show log'? > > However running "shorewall check" does not find any > problems with my kernel configuration. There is no > entry in the routing tables for the VPN gateway or > remote LAN. That is normal under Racoon. > > My shorewall configuration is: > > /etc/shorewall/tunnels: > > ipsec:noah net 80.168.19.2 > > /etc/shorewall/hosts: > > #ZONE HOST(S) OPTIONS > vpn eth0:192.0.2.0/24 > > /etc/shorewall/interfaces: > > #ZONE INTERFACE BROADCAST OPTIONS > vpn ipsec0 The above is not correct -- remove it. > net eth0 detect dhcp > > /etc/shorewall/zones: > > fw firewall > vpn ipv4 proto=esp,mode=tunnel The zone type should be 'ipsec', not 'ipv4'; either than you you need to specify 'ipsec' in the OPTIONS in your /etc/shorewall/hosts entry. > net ipv4 > > /etc/shorewall/policy: > > #SOURCE DEST POLICY LOG > LIMIT:BURST > # LEVEL > $FW vpn ACCEPT info > vpn $FW ACCEPT info > vpn net ACCEPT info > $FW net ACCEPT info > net all DROP info > all all REJECT info > > /etc/shorewall/rules: > > #ACTION SOURCE DEST PROTO DEST SOURCE > ORIGINAL RATE > USER/ > # PORT(S) PORT(S) DEST > LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > SECTION NEW > ACCEPT $FW vpn:80.168.19.2 udp > 500 > ACCEPT vpn:80.168.19.2 $FW udp > 500 > ACCEPT $FW vpn:80.168.19.2 50 > ACCEPT vpn:80.168.19.2 $FW 50 > ACCEPT $FW vpn:80.168.19.2 51 > ACCEPT vpn:80.168.19.2 $FW 51 > > Is there anything wrong with this configuration? Please see my comments above. > Could there be another problem. Sure. Start by removing Shorewall from the equation (temporarily 'shorewall clear'). Once the VPN is working, then correct your Shorewall configuration and 'shorewall start'. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
