On Fri, Oct 15, 2010 at 06:59:45PM -0700, Tom Eastep wrote:
> On 10/15/10 4:35 PM, Jörg Kurlbaum wrote:
> Since you have a test configuration, please show us the configuration
> that works and the one that doesn't (config files and 'shorewall dump').
Here are the dumps and the diff from the two configs.
The test tunnel is "fw-test" from the shorewall box (82.198.203.20) to the
test box (10.31.1.1) the subnet behind the test box is 192.168.145.1/32
This is the diff from the two configs. The origin (a) is the version with
bad performance and (b) performs very well on the test connection.
The complete configuration is attached, as well as the shorewall dump output
from both configurations.
diff --git a/ipsec.conf b/ipsec.conf
index 7be7575..7e89344 100644
--- a/ipsec.conf
+++ b/ipsec.conf
@@ -28,7 +28,7 @@ conn fw-test
left=10.31.1.1
leftsubnet=192.168.145.1/32
right=82.198.203.20
- rightsubnet=192.168.82.8/32
+ rightsubnet=10.66.1.0/24
auto=add
conn neuland-merlin
diff --git a/shorewall/masq b/shorewall/masq
index 2ad9582..84608c5 100644
--- a/shorewall/masq
+++ b/shorewall/masq
@@ -7,7 +7,7 @@ eth0:$IPSEC_MASQ_DEST vpn0 $IPSEC_MASQ_SRC_IP
- - -
## alles andere auf eine IP maskieren (manche Server authentifizieren anhand
dieser IP, muss also .20 sein)
-eth0 10.66.1.0/24 82.198.203.20
+eth0:!192.168.145.1/32 10.66.1.0/24 82.198.203.20
eth0 192.168.111.0/24 82.198.203.24
eth0 192.168.0.0/24 82.198.203.20
# SNAT fuer DMZ?
diff --git a/shorewall/params b/shorewall/params
index 97637b6..5288ee2 100644
--- a/shorewall/params
+++ b/shorewall/params
@@ -1,3 +1,3 @@
IPSEC_GATEWAYS=213.178.160.60,195.50.185.4,80.85.192.44,10.31.1.1
-IPSEC_MASQ_DEST=10.107.10.0/24,212.9.181.0/24,213.178.160.128/26,10.108.104.0/23,80.85.195.32/27,10.79.24.0/23,80.85.196.128/26,10.108.100.0/24,172.27.32.0/24,80.85.198.0/24,10.111.128.0/17,80.85.199.0/27,10.108.124.0/25,192.168.145.1/32
+IPSEC_MASQ_DEST=10.107.10.0/24,212.9.181.0/24,213.178.160.128/26,10.108.104.0/23,80.85.195.32/27,10.79.24.0/23,80.85.196.128/26,10.108.100.0/24,172.27.32.0/24,80.85.198.0/24,10.111.128.0/17,80.85.199.0/27,10.108.124.0/25
IPSEC_MASQ_SRC_IP=192.168.82.8
I hope this makes things clearer.
The corresponding outputs from "shorewall dump" are available here:
http://static.neuland-bfi.de/shorewall_dump_bad.bz2
http://static.neuland-bfi.de/shorewall_dump_good.bz2
http://static.neuland-bfi.de/shorewall_conf_bad.tar.bz2
Greetings,
Jörg
P.S.: replying late because the first mail got stuck in the moderation
------------------------------------------------------------------------------
Nokia and AT&T present the 2010 Calling All Innovators-North America contest
Create new apps & games for the Nokia N8 for consumers in U.S. and Canada
$10 million total in prizes - $4M cash, 500 devices, nearly $6M in marketing
Develop with Nokia Qt SDK, Web Runtime, or Java and Publish to Ovi Store
http://p.sf.net/sfu/nokia-dev2dev
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
