‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On March 23, 2018 9:43 AM, Tom Eastep <teas...@shorewall.net> wrote: > > > On 03/22/2018 10:03 AM, colony.three--- via Shorewall-users wrote: > > > No change in the symptom with 'shorewall clear' on the IPSEC gateway. > > > > But I do notice that the response being emitted by the daemon which is not > > received by the phone (nor even seen in the IPSec gateway interface): > > > > Thu, 2018-03-22 09:51 12[IKE] <3> sending keep alive to 172.56.42.76[49548] > > > > Thu, 2018-03-22 09:51 12[MGR] <3> checkin IKE_SA (unnamed)[3] > > > > Thu, 2018-03-22 09:51 12[MGR] <3> checkin of IKE_SA successful > > > > Thu, 2018-03-22 09:51 04[NET] sending packet: from 192.168.111.16[4500] to > > 172.56.42.76[49548] > > > > Thu, 2018-03-22 09:51 01[JOB] next event in 10s 3ms, waiting > > > > ... has a -source- of 4500, not a destination of 4500. I'm not opening this > > in either the IPSec gateway nor the LAN gateway: > > > > IPSec gateway rules: > > > > ACCEPT $FW net udp 500,4500,ipsec,ipsec-nat - > > > > LAN gateway snat > > > > MASQUERADE 10.1.1.30/32,192.168.111.0/24 eth0 > > > > rules > > > > ACCEPT local net udp domain - > > > > DNAT net local:192.168.111.16 udp 500,ipsec-nat-t - ð0 > > > > It's UDP so unstateful, so maybe this is -a- problem? (Aside from the fact > > that the 4500 response doesn't seem to leave the daemon) > > The conntrack entries on the gateways will allow the response packets to > > be sent. Using tcpdump on the IPSEC gateway, do you see the response > > packets being sent? > > -Tom > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Tom Eastep \ Q: What do you get when you cross a mobster with > > Shoreline, \ an international standard? > > Washington, USA \ A: Someone who makes you an offer you can't > > http://shorewall.org \ understand > > _______________________________________________ > > > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! > http://sdm.link/slashdot_______________________________________________ > > Shorewall-users mailing list > > Shorewall-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/shorewall-users Oh man. I don't have any IPSec entries in conntrack. ?FORMAT 3 ###################################################################################################### #ACTION SOURCE DEST PROTO DPORT SPORT USER SWITCH ?if $AUTOHELPERS && __CT_TARGET ?if __AMANDA_HELPER CT:helper:amanda:PO - - udp 10080 ?endif ?if __FTP_HELPER CT:helper:ftp:PO - - tcp 21 ?endif ?if __H323_HELPER CT:helper:RAS:PO - - udp 1719 CT:helper:Q.931:PO - - tcp 1720 ?endif ?if __IRC_HELPER CT:helper:irc:PO - - tcp 6667 ?endif ?if __NETBIOS_NS_HELPER CT:helper:netbios-ns:PO - - udp 137 ?endif ?if __PPTP_HELPER CT:helper:pptp:PO - - tcp 1723 ?endif ?if __SANE_HELPER CT:helper:sane:PO - - tcp 6566 ?endif ?if __SIP_HELPER CT:helper:sip:PO - - udp 5060 ?endif ?if __SNMP_HELPER CT:helper:snmp:PO - - udp 161 ?endif ?if __TFTP_HELPER CT:helper:tftp:PO - - udp 69 ?endif ?endif ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] IPSec Getting Blocked
colony.three--- via Shorewall-users Fri, 23 Mar 2018 11:03:54 -0700
- Re: [Shorewall-users] IPSec Getting Bl... colony.three--- via Shorewall-users
- Re: [Shorewall-users] IPSec Getti... Tom Eastep
- Re: [Shorewall-users] IPSec G... colony.three--- via Shorewall-users
- Re: [Shorewall-users] IPS... Tom Eastep
- Re: [Shorewall-users]... colony.three--- via Shorewall-users
- Re: [Shorewall-u... Tom Eastep
