On Wed, 2010-07-14 at 18:31 -0400, TomEastep wrote: > > It doesn't match the conntrack entry. The conntrack entry expects responses > to be addressed to 199.10.8.5 but the response is coming back to > 129.150.48.250.
Dmnnit. That was a cut'n'pasto-to-protect-the-innocento. Now that the cat's out of the bag, the two tcpdump entries and the conntrack entry are: 18:07:41.518736 IP 192.168.122.32.3646 > 10.1.2.3.21: Flags [S], seq 13170946, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 18:07:54.419302 IP 10.1.2.3.21 > 129.150.48.250.3646: Flags [S.], seq 2706895564, ack 13170947, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 2], length 0 ipv4 2 tcp 6 38 SYN_RECV src=192.168.122.32 dst=10.1.2.3 sport=3646 dport=21 packets=1 bytes=64 src=10.1.2.3 dst=129.150.48.250 sport=21 dport=3646 packets=6 bytes=312 mark=0 secmark=0 use=2 > What does your /etc/shorewall/masq entry look like? #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 192.168.122.0/24 129.150.48.250 And the ADDRESS is because while eth0 is 10.75.22.151, eth0:1 is 129.150.48.250 and is the/my endpoint address of the tunnel. Default routing is done with a: default via 10.75.22.151 dev eth0 src 129.150.48.250 and of course there are ipsec policies that match 129.150.48.250. Cheers, b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
