Quoting [EMAIL PROTECTED]: > Quoting Tom Eastep <[EMAIL PROTECTED]>: > >> lists wrote: >> >>> So, I've allowed traffic from $FW to vpn and from vpn to $FW. Having >>> looked at the documentation at www.shorewall.net that seems to be all I >>> need to do. I can't help thinking I must have missed something really >>> obvious but if I have I can't spot it. I've not updated any rules to >>> allow specific types of traffic to/from the router. I understood that >>> the policy should allow everything to/from the router to the vpn zone. >>> Is that correct? >>> >> >> This problem usually results from mis-configuration of IPSEC and has nothing >> to do with Shorewall. Does it work if you "shorewall clear" to remove >> Shorewall from the picture? > > Yes, the problem still occurs after invoking "shorewall clear". I > should have thought to try that myself. Thanks for the suggestion. > > I'll dig further into the ipsec config docs. >
A follow up post to help anyone in the future searching the archives: I've since found that I can ping remote hosts on the VPN from my local router if I force the ping to use the internal NIC. So, "ping 192.168.1.1 -I eth0" works but "ping 192.168.1.1" doesn't (eth0 is my internal NIC, eth2 is my external NIC.) I've tried updating my routing table to force requests for the remote LAN to be sent via eth0 instead of eth2 but this seems to kill the VPN entirely. The routing table looks like this: 1.2.3.0/24 dev eth2 proto kernel scope link src 1.2.3.4 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 192.168.1.0/24 via 1.2.3.1 dev eth2 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link default via 1.2.3.1 dev eth2 Where: 1.2.3.4 is my public IP 1.2.3.1 is my ISP router at the other end of my ADSL line 192.168.0.0/24 is the local LAN 192.168.1.0/24 is the remote LAN eth0 is the internal interface eth2 is the external interface It seems that I need to force all packets that originate on the local router that are destined for the remote LAN to be sent via the internal NIC. Firstly, is this something that's possible using shorewall? Secondly, is it a sensible approach to solving the problem? ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
