On 10/21/2015 10:07 PM, Tom Robinson wrote: > On 22/10/15 12:57, Tom Eastep wrote: >> On 10/20/2015 3:53 PM, Tom Robinson wrote: >>> shorewall-4.6.13-0base >>> openswan-2.6.32-9.el5 >>> CentOS release 5.11 >>> xl2tpd-1.2.8-1 >>> >>> Hi, >>> >>> I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host >>> to a Symetric link >>> (9.5Mb/9.5Mb) on another host. The old, working link is configured under >>> shorewall-4.5.0.3-1.el5 and >>> used DNAT to transmit L2TP port packets to the internal interface: >>> >>> rules: >>> DNAT roadw $FW:192.168.0.13 udp 1701 1701 >>> >>> This has been working for some years now and I'm not sure any more why I >>> configured it that way. >>> >>> Anyway I've started afresh on the new setup following the >>> http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't >>> establish a link through L2TP. >>> The VPN comes up OK but the L2TP packets are being rejected: >>> >>> Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>> DST=115.70.189.243 LEN=142 TOS=0x00 >>> PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>> Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>> DST=115.70.189.243 LEN=142 TOS=0x00 >>> PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>> Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>> DST=115.70.189.243 LEN=142 TOS=0x00 >>> PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>> Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>> DST=115.70.189.243 LEN=142 TOS=0x00 >>> PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>> >> Check Shorewall FAQ 17 -- Rejections in the INPUT chain means that the >> eth1:165.228.94.4 is not in any defined zone. > > Hi Tom, > > Thanks for that. I've looked at FAQ 17 which makes sense but I'm still > confused. The VPN I'm > configuring is for Road Warriors and as such I won't know the SRC address > whence they are connecting. > > The 165.228.94.4 address is the SRC of the Road Warrior connection (Windows > VPN Client end). The DST > of 115.70.189.243 is the entry point to the office network (our external > interface's IP address on > the Shorewall configuration). I can't feasibly know all Road Warrior external > addresses and list them. > > What am I missing here?
Please forward the output of 'shorewall dump' collected as described at http://www.shorewall.org/support.htm#Guidelines. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
