I'm trying to change the listening port of Libreswan using these DNAT entries
in rules:
DNAT net local:192.168.1.16:500 udp - 5500 ð0
DNAT net local:192.168.1.16 udp ipsec-nat-t - ð0
... but this results in the below DROPS. Rather than forwarding the packets to
that IP:port, it blocks them as destined for the $FW. I don't understand why?
IPSEC connects fine when I don't try to change port 500.
Also can I combine these two DNAT lines? Or would that push everything into
500?
[53533.057543] Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11170 DF PROTO=UDP
SPT=20563 DPT=65500 LEN=716
[53534.973338] Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11171 DF PROTO=UDP
SPT=20563 DPT=65500 LEN=716
[53537.760649] Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11172 DF PROTO=UDP
SPT=20563 DPT=65500 LEN=716
[53541.706546] Shorewall:net-fw:DROP:IN=eth0 OUT=
MAC=52:54:00:e6:0a:80:f6:b5:2f:a2:db:8e:08:00 SRC=172.58.46.201
DST=50.35.109.212 LEN=736 TOS=0x00 PREC=0x00 TTL=55 ID=11173 DF PROTO=UDP
SPT=20563 DPT=65500 LEN=716
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
