I double checked it, should be OK. Nevertheless, here are all relevant Shorewall config files with changed IPs:
My system: WAN interface eth1, zone INT, IP 1.1.1.1 , tunnel in it's own zone VPNit Remote system: Fortigate WAN IP 2.2.2.2, LAN 10.0.0.0/16 /etc/shorewall/zones INT ipv4 VPNit ipv4 /etc/shorewall/interfaces INT eth1 /etc/shorewall/policy LAN VPNit ACCEPT info /etc/shorewall/tunnels ipsec INT 1.1.1.1 /etc/shorewall/hosts VPNit eth1:10.0.0.0/16,2.2.2.2 ipsec Tunnel is up and runing all looks OK untill packets arrive on firewall with source 2.2.2.2:500 destination 1.1.1.1:500, they are dropped (that is the question: why?) and after some time (2-3 hours) remote router detects dead tunnel and communication trough it stops. On my side tunnel looks perfectly OK. ipsec.conf, ipsec.secrets are from start OK, tunnel is up and running untill firewall starts blocking it. Thanks, regards Ivica Glavocic On 24.5.2010 15:26, Tom Eastep wrote: > Ivica Glavocic wrote: > >> Thank you for reply, I know about Problem Reporting Guidelines, but >> since this is border firewall in production enviroment, I would avoid if >> possible using real IP addresses and rules, thats why shorewall dump is >> risky for me in terms of security and reason why I changed those values >> in initial mail. >> >> Is there any other method to send you information you need but with fake >> IP's, just to demonstrate what the problem is? >> > No. But it sounds like you have a missing or incorrect entry in > /etc/shorewall/tunnels. > > -Tom > ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
