Re: [Shorewall-users] net2fw:DROP for L2TP VPN

Thu, 19 Jan 2012 14:44:16 -0800 

> From the messages you are seeing, it looks like you don't have ipsec*
> entries in /etc/shorewall/tunnels.
 
Hi Tom, Thanks for the reply. I have added the tunnels to now show: #TYPE       
            ZONE           GATEWAY        GATEWAY ZONEipsec                   
net             0.0.0.0/0       vpn Also by changing the zones file from: fw    
  firewall
vpn     ipsec
l2tp    ipv4
ukvpn   ipv4
net     ipv4
loc     ipv4
To the following: vpn     ipsec
l2tp    ipv4
ukvpn   ipv4fw  firewall
net     ipv4
loc     ipv4
An internal machine can now connect OK and get assigned an IP address via L2TP, 
this order does seem to effect things. So i know the VPN is working even with 
the firewall rules enabled for internal clients, just not for external clients. 
For external clients, i am still seeing similair bounce messages: Jan 19 
22:04:03 router kernel: [134798.340603] Shorewall:l2tp2fw:REJECT:IN=ppp0 OUT= 
MAC= SRC=93.97.190.5 DST=2.49.2.193 LEN=412 TOS=0x00 PREC=0x00 TTL=120 ID=11474 
PROTO=UDP SPT=500 DPT=500 LEN=392 MARK=0x100 As a hack, I then tried adding a 
policy: l2tp fw ACCEPT Although the REJECT messages were no longer shown in the 
log, the VPN still timed out for the external users. So I then removed this 
line again. Now my policy just shows: fw              all             ACCEPT
loc             fw              ACCEPT
loc             net             ACCEPT# policy for inbound L2TP zone
loc             l2tp            ACCEPT
l2tp            loc             ACCEPT
l2tp            net             ACCEPT
loc             vpn             ACCEPT
vpn             loc             ACCEPT
vpn             fw              ACCEPTnet             all             DROP      
      info
# THE FOLLOWING POLICY MUST BE LAST
all             all             REJECT          info
Since I have made some changes I have re-dumped the status for this config. 
Appreciate everyone is busy so no mad rush on a reply, gave it another 2 hours 
tonight no dice i must be doing something silly just cant see it. Hopefully 
fresh mind tomorrow will help! Regards, Chris

Attachment: status.txt.gz
Description: GNU Zip compressed data

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to