Hi everyone
SuSe Linux Enterprise Server SP3 completely patched with kernel
2.6.16.60, OpenSwan 2.4.4 is on firewall machine and terminating 12
IPSEC VPN tunnels, so IPSEC gateway is on the firewall system. Shorewall
is version 4.4.2.2
On the other side is various equipment, Cisco, Lucent, Fortinet and
Zyxel firewalls, with all I have IPSEC LAN-to-LAN routed (no NAT)
tunnels (PSK).
From 1 Cisco and 2 Fortinet firewalls I noticed in logs that Shorewall
is blocking UDP packets port 500 from WAN IP's of those routers to my
WAN port firewall also UDP port 500. Log looks like this (actual IPs
changed)
-(lan)-Shorewall-(INT zone, eth1)- 1.1.1.1 ..... 2.2.2.2
-(wan)-Fortigate-(lan)-
May 21 15:21:23 FW kernel: Shorewall:INT2fw:DROP:IN=eth1 OUT= MAC=XXX
SRC=2.2.2.2 DST=1.1.1.1 LEN=96 TOS=0x00 PREC=0x00 TTL=54 ID=22964
PROTO=UDP SPT=500 DPT=500 LEN=76
Why is Shorewall blocking those packets? IPSEC VPN is configured 100%
according to documentation on address
http://www.shorewall.net/IPSEC-2.6.html
Tunnels are configured as I described, shouldn't those ports be always
opened for my and other router's WAN IP's for UDP on port 500?
I can provide config (tunnels, zones, hosts) files for shorewall and
openswan (ipsec.conf/ipsec.secrets) if needed.
Thanks, regards
--
*Ivica Glavočić*
Laser Line d.o.o.
Tribje 17, 52470 Umag
tel.: +385 52 725 600
fax: +385 52 725 610
OIB: 26680017138
mail: [email protected] <mailto:[email protected]>
mail: [email protected] <mailto:[email protected]>
web: http://www.laserline.hr
------------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
