On 23/10/15 04:29, Tom Eastep wrote: > On 10/21/2015 10:07 PM, Tom Robinson wrote: >> On 22/10/15 12:57, Tom Eastep wrote: >>> On 10/20/2015 3:53 PM, Tom Robinson wrote: >>>> shorewall-4.6.13-0base >>>> openswan-2.6.32-9.el5 >>>> CentOS release 5.11 >>>> xl2tpd-1.2.8-1 >>>> >>>> Hi, >>>> >>>> I'm migrating a working VPN+L2TP from an ADSL (7Mb/700Kb) link on one host >>>> to a Symetric link >>>> (9.5Mb/9.5Mb) on another host. The old, working link is configured under >>>> shorewall-4.5.0.3-1.el5 and >>>> used DNAT to transmit L2TP port packets to the internal interface: >>>> >>>> rules: >>>> DNAT roadw $FW:192.168.0.13 udp 1701 1701 >>>> >>>> This has been working for some years now and I'm not sure any more why I >>>> configured it that way. >>>> >>>> Anyway I've started afresh on the new setup following the >>>> http://www.shorewall.net/IPSEC-2.6.html#RW-L2TP article but I can't >>>> establish a link through L2TP. >>>> The VPN comes up OK but the L2TP packets are being rejected: >>>> >>>> Oct 21 08:59:53 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>> PREC=0x00 TTL=117 ID=12707 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>> Oct 21 08:59:54 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>> PREC=0x00 TTL=117 ID=12708 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>> Oct 21 08:59:56 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>> PREC=0x00 TTL=117 ID=12709 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>> Oct 21 09:00:00 fw2 kernel: Shorewall:INPUT:REJECT:IN=eth1 OUT= >>>> MAC=00:0c:29:8b:5f:8a:88:f0:31:4f:cf:54:08:00 SRC=165.228.94.4 >>>> DST=115.70.189.243 LEN=142 TOS=0x00 >>>> PREC=0x00 TTL=117 ID=12710 PROTO=UDP SPT=1701 DPT=1701 LEN=122 >>>> >>> Check Shorewall FAQ 17 -- Rejections in the INPUT chain means that the >>> eth1:165.228.94.4 is not in any defined zone. >> Hi Tom, >> >> Thanks for that. I've looked at FAQ 17 which makes sense but I'm still >> confused. The VPN I'm >> configuring is for Road Warriors and as such I won't know the SRC address >> whence they are connecting. >> >> The 165.228.94.4 address is the SRC of the Road Warrior connection (Windows >> VPN Client end). The DST >> of 115.70.189.243 is the entry point to the office network (our external >> interface's IP address on >> the Shorewall configuration). I can't feasibly know all Road Warrior >> external addresses and list them. >> >> What am I missing here? > Please forward the output of 'shorewall dump' collected as described at > http://www.shorewall.org/support.htm#Guidelines.
Hi Tom, I've sent the gzipped shorewall_dump.txt in an earlier email but it's pending moderator approval due to the file size (163441 bytes) being more than the allowd 128k limit. Kind regards, Tom
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
