Sending again without attachment. I dont get mail on the list if i send the attachment.
>Since you are NATing the connection, you should only be DNATing UDP port >500 and 4500 to the internal router for VPN traffic. Again, there is >very little chance if it working without NAT-T. The two IPSEC endpoints >will determine that there is at least one NAT router between them and >will encapsulate the ESP packets in UDP 4500 packets. AH cannot be used >in this configuration. The hw router is sending information only on udp port 500. I can see this, because only this port is blocked on linux box. > I can see that the packets which i sent get to the other > side. The problem is that the packets i recive dont reach the hw router on > this side. I keep getting reject log on internal interface of linux box, for > udp packets. >And on the INTERNAL interface? If so, it sounds like your internal and >external interfaces are somehow bridged. Hmm. I didnt used any bridge settings. I have one ADSL (pppoe) and one internet interface. All i do is DNAT as i mentioned before. > The internet is working fine from this router. > >> Did you add an SNAT rule (/etc/shorewall/masq) so that traffic from this >> router appears to come from that external IP address? > > Hmm. No i didnt. I just set DNAT rule in "rules" like this: > DNAT net:$other_hw_router loc:local_ip_of_my_hw_router udp 500 > > Can you write me the code for "masq"? >Do you only have one external IP address (193.x.x.x)? If so, your >existing MASQ/SNAT entry in /etc/shorewall/masq is all you need. Yes. O only have one external IP. And i have already entry for this in masq. >> The traffic that is being logged is coming INTO your firewall on eth0 -- >> it isn't a response from '...the other side'. > > But why do I get reject error then? (85.x.x.x is the HW router on other > side; 193.x.x.x. is the linux box) > >How could we possibly know? We can't see your ruleset. And you are so >tight-fisted with details, you won' even tell us what your external IP >address is (even though everyone on the list already knows what it is >and could care less). Shorewall 2.2 supports a "shorewall status" >command -- if you send us the output of that command (as a compressed >attachment), it will help although the information in that command is >not nearly so complete and helpful as the output of "shorewall dump" in >later versions. Ok. I attached the file status. The IP with the linux box is 193.95.229.95 and not the IP located in my mail (i know you can see my IP). The hw router has internat IP 192.168.1.180. On the other side the hw router has IP 85.10.34.99. Both hw routers are Zyxel Zywall 2 plus. >My guess is that you have 'detectnets' specified on eth0 in >/etc/shorewall/interfaces so that packets from 85.x.x.x aren't in the >'loc' zone (see Shorewall FAQ 17). No, i only use this settings. I also used routeback on eth0 and no diference. #ZONE INTERFACE BROADCAST OPTIONS net dsl0 detect routefilter,tcpflags loc eth0 detect tcpflags > Shorewall:all2all:REJECT:IN=eth0 OUT= >> MAC=00:40:f4:b2:94:96:00:19:cb:2c:df:87:08:00 SRC=85.x.x.x DST=193.x.x.x >> LEN=104 TOS=0x00 PREC=0x00 TTL=245 ID=36536 PROTO=UDP SPT=500 DPT=500 > LEN=84 > >But that still begs the question about why the above packet is showing >up on your internal interface in the first place -- it should be >arriving on your internal interface). >Again, it looks to me kind your internal and external interfaces may be >bridged. >What is the sequence of packets that you are seeing? Is it: > 1) internal router->remote router UDP 500 > 2) <message above> >Or do you see packets (including ESP) go back and forth and THEN you get >the message? Yes. I can see message go forth to other side and when the hw router on the other side responds and send response, the linux box on my side blocks the UDP port 500. Scopry. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
