On Thu, Jan 17, 2008 at 03:01:37PM -0800, Tom Eastep wrote: > Scorpy wrote: > >> Okay -- this is interesting. The local router is clearly confused; I > >> suspect as a result of NAT taking place between the two routers. It is > >> sending an ISAKMP phase 1 R packet addressed to your firewall and with a > >> source IP of the remote router (which is what we've been seeing in the > >> Shorewall message). > > > >> So the two routers don't get so far as to negotiate an SA; the local one > >> sends an unfathomable (to me) packet. > > > >> Afraid that you have reached the end of my knowledge here but I suspect > >> that it is a configuration problem in one or both of the routers. Maybe > >> someone more familiar with ISAKMP can shed some light. > > > > Is it posible to solve this problem to tell router where to send packets > > with some static route? Or is there some options in shorewall maybe i can > > use? > > I don't know -- I don't know why the ZyXEL router is doing what it is > doing so I have no idea how to fix it.
My experience of zyxel devices in connection with ipsec is that they are buggy and shipped in a misconfigured state. My solution to date has always been to stop using ipsec (usually switching to openvpn) because I couldn't figure out how to get them working, and suspected that the manufacturer had never bothered to test them. Note that ISAKMP is an extremely fragile protocol: if any part of the packets is not precisely as expected, the hosts will simply give up. This is a (questionable) design decision; there is no negotiation mechanism. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
