On 22/10/15 12:57, Tom Eastep wrote: > On 10/20/2015 3:53 PM, Tom Robinson wrote: >> shorewall-4.6.13-0base >> openswan-2.6.32-9.el5 >> CentOS release 5.11 >> xl2tpd-1.2.8-1 >> >> Hi, >> >> I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host >> to a Symetric link >> (9.5Mb/9.5Mb) on another host. The old, working link is configured under >> shorewall-4.5.0.3-1.el5 and >> used DNAT to transmit L2TP port packets to the internal interface: >> >> rules: >> DNAT roadw $FW:192.168.0.13 udp 1701 1701 >> >> This has been working for some years now and I'm not sure any more why I >> configured it that way. >> >> Anyway I've started afresh on the new setup following the >> http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't >> establish a link through L2TP. >> The VPN comes up OK but the L2TP packets are being rejected: >> >> Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >> DST=115.70.189.243 LEN=142 TOS=0x00 >> PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >> Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >> DST=115.70.189.243 LEN=142 TOS=0x00 >> PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >> Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >> DST=115.70.189.243 LEN=142 TOS=0x00 >> PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >> Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >> DST=115.70.189.243 LEN=142 TOS=0x00 >> PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >> > Check Shorewall FAQ 17 -- Rejections in the INPUT chain means that the > eth1:165.228.94.4 is not in any defined zone.
Hi Tom, Thanks for that. I've looked at FAQ 17 which makes sense but I'm still confused. The VPN I'm configuring is for Road Warriors and as such I won't know the SRC address whence they are connecting. The 165.228.94.4 address is the SRC of the Road Warrior connection (Windows VPN Client end). The DST of 115.70.189.243 is the entry point to the office network (our external interface's IP address on the Shorewall configuration). I can't feasibly know all Road Warrior external addresses and list them. What am I missing here? Kind regards, Tom
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
