I've looked at a number of docs for a couple of days now, and while I've made some progress, I've hit a wall that is baffling me.
I've attached the output of `shorewall dump` from the two machines. Both are running CentOS 5, Shorewall 3.4.6 (I'm willing to upgrade, but I didn't think that the conf would be too different than 4.x, so I wanted to get the VPN up first), and both are using the 'Red Hat' way of configuring IPSEC (as you can see from the output of `shorewall dump`, the VPN does negotiate...) and it is a network-to-network tunnel. On one host (calling it 'host1' in this email) when ever I try to ping the other network (other is 192.168.42.0, and it doesn't matter what host I try to ping, from what host), I get logs like the following: Shorewall:all2all:REJECT:IN= OUT=eth0 SRC=192.168.47.1 DST=192.168.42.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=55376 SEQ=1 On the other host (calling it 'host2'), I get a completely different log: Shorewall:OUTPUT:REJECT:IN= OUT=eth0 SRC=69.30.99.148 DST=69.30.46.20 LEN=136 TOS=0x00 PREC=0x00 TTL=64 ID=25966 DF PROTO=ESP SPI=0xccd0a1c Host1 is a Xen server, with the following network configurations: #Interface Xen bridge Role/routing/forwarding eth0 xenbr0 plain bridge, 69.30.46.0/24 dummy0 xenbr1 NAT to eth0, 192.168.47.0/24 dummy1 xenbr2 nothing, 10.42.47.0/24 Host2 is a firewall/router, with the following network configurations: #Interface Role/routing/forwarding eth0 External interface, 69.30.99.0/24 eth1 Routing to eth0, 69.30.88.112/28 eth1:1 NAT to eth0, 192.168.42.0/24 eth2 Spare/unused, 172.24.20.0/24 I thought that NAT wouldn't be involved with the VPN, but I could be wrong, as the tunnel isn't going through NAT but landing on the gateway machines. My goal is to be able to reach 192.168.42.0 from 192.168.47.0 and vice-versa. All of the routing and NAT configurations have been working for months, I'm just now adding in the VPN. Any help would be appreciated, please let me know if you need more information. Thanks. --Tim
host1.bz2
Description: application/bzip
host2.bz2
Description: application/bzip
------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users