On 3/18/2020 11:01 AM, Andrey Andreev wrote: > As I have explained, shorewall does not start with this line in SNAT > unhashed. The error shown with 'systemctl shorewall status' after > unsuccessful shorewall restart is something like: > .... cannot start, unrecognized record in /etc/shorewall/snat line #... > The record was even listed: SNAT(!==IP==). > I am afraid to repeat this situation again as the connection may die out > and I should run to the place to fix it. > > IPSec tunnel is working, I presume, in 'ipsec whack --status' connection > list shows: > Total IPsec connections: loaded 1, active 1 > The tunnel is not routed to the LAN IP range however.
Simply uncomment the record and run 'shorewall check'. Since the message refers to a particular line in the snat file, it has to be coming from the compiler. And if 'shorewall check' doesn't produce the message, then try 'shorewall compile foo'. And be sure to comment the record after testing. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
