Michael Weickel - iQom Business Services GmbH wrote: > Yes, you are right with this. Thanks for the answer. > > I have another question to your http://www.shorewall.net/VPNBasics.html > > There you wrote that - at some point - you want to get rid of the tunnel > file since rule can cover all of our needs. > > I tried it and figured out that I was not able to manage it. > > As I understood the following row in tunnel file > > ipsec net 10.20.30.40 > > means, that remote host 10.20.30.40 is allowed to access fw by udp 500 as > well as esp 50 and ah 51 without specifying any additional rule. > > I tried it as following in the tunnel. > > ipsec v3005 0.0.0.0/0 > > and hosts > > v3005 vlan3005:0.0.0.0/0 ipsec > > but message in log appears > > Nov 29 03:05:25 ffmfw01 kernel: [ 3449.115968] > Shorewall:INPUT:DROP:IN=vlan3005 OUT= > MAC=00:1c:f0:f9:8b:31:00:12:01:c5:14:1a:08:00 SRC=80.186.95.14 > DST=217.112.144.33 LEN=372 TOS=0x00 PREC=0x00 TTL=114 ID=107 PROTO=UDP > SPT=4076 DPT=500 LEN=352 > > My interface > > - vlan3005 217.112.144.39 $WAN_OPTS > > And my params > > WAN_OPTS=tcpflags,norfc1918,routefilter,nosmurfs,logmartians > > If I additionally specify in rules > > ACCEPT lv3005 fw udp 500 - > 217.112.144.33 > > everything is fine.
The zone mentioned in the tunnels file ZONE column *should not be the IPSEC zone*. It should rather be the unencrypted zone where the remote gatway resides. The IPSEC zone(s) should be listed in the GATEWAY ZONES column. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
