On 10/20/2015 3:53 PM, Tom Robinson wrote: > shorewall-4.6.13-0base > openswan-2.6.32-9.el5 > CentOS release 5.11 > xl2tpd-1.2.8-1 > > Hi, > > I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host to > a Symetric link > (9.5Mb/9.5Mb) on another host. The old, working link is configured under > shorewall-4.5.0.3-1.el5 and > used DNAT to transmit L2TP port packets to the internal interface: > > rules: > DNAT roadw $FW:192.168.0.13 udp 1701 1701 > > This has been working for some years now and I'm not sure any more why I > configured it that way. > > Anyway I've started afresh on the new setup following the > http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't establish > a link through L2TP. > The VPN comes up OK but the L2TP packets are being rejected: > > Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= > MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 > DST=115.70.189.243 LEN=142 TOS=0x00 > PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 > Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= > MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 > DST=115.70.189.243 LEN=142 TOS=0x00 > PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 > Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= > MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 > DST=115.70.189.243 LEN=142 TOS=0x00 > PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 > Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= > MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 > DST=115.70.189.243 LEN=142 TOS=0x00 > PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >
Check Shorewall FAQ 17 -- Rejections in the INPUT chain means that the eth1:165.228.94.4 is not in any defined zone. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
