Shorewall Guy,
Although my /etc/shorewall/zones configuration was as follows:
###############################################################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS
OPTIONS
fw firewall
vpn ipv4
loc ipv4
net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
I remembered that the ipsec option can also be specified in
/etc/shorewall/hosts for the same effect.
###############################################################################
#ZONE HOST(S) OPTIONS
vpn ipsec0:192.168.5.0/24 ipsec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
I overlooked removing it when I reconfigured everything. I have
removed the ipsec option, and I no longer get the REJECT message.
Thank you for your assistance. Keep up the good work!
<ps - still can't get traffic to pass through vpn, but I don't believe
this is an issue with shorewall anymore, as I'm getting no DROP/REJECT
messages in logs anymore, and packet counters show:
Chain loc2vpn (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
8 480 ACCEPT 0 -- * * 0.0.0.0/0
0.0.0.0/0
>
On Tue, Jan 13, 2009 at 1:59 PM, Shorewall Guy
<[email protected]> wrote:
> John Smith wrote:
>> I have read every single piece of shorewall documentation pertaining
>> to this subject. I believe I have a firm grasp on how to configure
>> Shorewall, and have obviously followed the directions given in the
>> documentation for this particular setup.
>
> No you have not. In the article that I pointed you to, there is NO
> MENTION AT ALL of specifying a zone type of 'ipsec' in
> /etc/shorewall/zones yet you appear to have done exactly that on your
> 'vpn' zone. I suspect that if you change the type to 'ipv4', then the
> packets will be forwarded as you want.
>
> Disclaimer -- I've never heard of anyone configuring a kernel 2.6 system
> they way that you have configured yours. All of our IPSEC testing here
> at shorewall.net with kernel 2.6 has been with the "new" configuration
> method without an ipsecN interface.
>
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by:
> SourcForge Community
> SourceForge wants to tell your story.
> http://p.sf.net/sfu/sf-spreadtheword
> _______________________________________________
> Shorewall-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
