On 05/04/2017 04:12 PM, Tom Eastep wrote: > > Sounds to me like you have an IPSEC configuration problem, with > > IPSEC only being used in one direction.
I don't *think* so .. for example a ping: 19:06:05.127457 IP 50.244.222.3.4500 > 66.....32.11.4500: UDP-encap: ESP(spi=0xe10dde9c,seq=0x44), length 116 19:06:05.201518 IP 66.....32.11.4500 > 50.244.222.3.4500: UDP-encap: ESP(spi=0xce5860ea,seq=0x44), length 116 On Fri, May 05, 2017 at 08:15:22AM -0700, Tom Eastep wrote: > Or, you may be using SNAT to force traffic to match the IPSEC Security > policy. In that case, before SNAT, Netfilter doesn't know that the > traffic is going to be encapsulated and encrypted, so it is treated as > IPv4 rather than ipsec. I think you're exactly right: masq: eth2:66.....32.11 - 50.244.222.3 Justin ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
