On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote: > No change in the symptom with 'shorewall clear' on the IPSEC gateway. > > But I do notice that the response being emitted by the daemon which is not > received by the phone (nor even seen in the IPSec gateway interface): > Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548] > Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3] > Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful > Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to > 172.56.42.76[49548] > Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting > > ... has a -source- of 4500, not a destination of 4500. I'm not opening this > in either the IPSec gateway nor the LAN gateway: > > IPSec gateway rules: > ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat - > > LAN gateway snat > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 > rules > ACCEPT local net udp domain - > DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - > ð0 > > It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact > that the 4500 response doesn't seem to leave the daemon) >
The conntrack entries on the gateways will allow the response packets to be sent. Using tcpdump on the IPSEC gateway, do you see the response packets being sent? -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
