[Shorewall-newbies] will not pass vpn's

Skip Palin spalin at montana.com
Wed Dec 17 16:55:04 PST 2003


Here you go

Interface
net     eth0    detect
loc     eth1    detect

hosts
blkv    eth0:(ng_firewall)

masq
eth0                    192.168.2.0/24
eth0:192.168.2.2        172.16.0.0/24

policy
loc             net             ACCEPT 
$FW             net             ACCEPT
$FW             loc             ACCEPT
loc             blkv            ACCEPT
blkv            loc             ACCEPT
net             all             DROP            info
all             all             DROP            info

rules
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 tcp     50      -
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 udp     50      -
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 tcp     51      -
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 udp     51      -
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 tcp     500     -
ACCEPT  net:(ng_firewall)  loc:192.168.2.2 udp     500     -
ACCEPT  fw      net     tcp     53      -       -
ACCEPT  fw      net     udp     53      -       -
ACCEPT  loc:192.168.2.2 all     all     -       -
ACCEPT  loc:192.168.2.3 all     all     -       -

Tunnels
ipsec   net     0.0.0.0/0       blkv

zone
net     Net             Internet
loc     Local           Local networks
blkv    blkvpn          172.16.0.0/24



-----Original Message-----
From: Francesca C. Smith [mailto:fsmith at ladylinux.com] 
Sent: Wednesday, December 17, 2003 11:08 AM
To: Skip Palin
Cc: shorewall-newbies at lists.shorewall.net
Subject: Re: [Shorewall-newbies] will not pass vpn's

Hello,

Please post your configurations ...

Francesca
On Wed, 2003-12-17 at 07:48, Skip Palin wrote:
> Hi all,
> 
> Shorewall 1.4.8
> 
> Iptables 1.2.7a
> 
> RH 9 Kerenl-2.4.23
> 
> My problem is, that we have an xp-box (VPN is Checkpoint NG) and an
> nt-box (VPN is Fort Knox) that need to vpn in to two different sits
> and so far it is not working.
> 
> Compiled the kernel with AH,ESP and Linux FreeS/WAN 2.04.
> 
> I do an ipsec verify and get 
> 
> Checking your system to see if IPsec got installed and started
> correctly:
> 
> Version check and ipsec on-path                                 [OK]
> 
> Linux FreeS/WAN 2.04
> 
> Checking for KLIPS support in kernel                            [OK]
> 
> Checking for RSA private key (/etc/ipsec.secrets)              
> [OK]
> 
> Checking that pluto is
> running                                                  [OK]
> 
> Two or more interfaces found, checking IP forwarding            [OK]
> 
> Checking NAT and MASQUERADEing
> 
> Opportunistic Encryption DNS checks:
> 
> Looking for TXT in forward map: (firewall)                     
> [MISSING]
> 
> Does the machine have at least one non-private address?        
> [FAILED]
> 
> I have two interfaces and one does have a public IP
> 
> NG did exchange keys and so did fort Knox.
> 
> NG sends isakmp SYN’s to port 500 to the remote, so I opened port
> 50,51 and 500 tcp and udp, still will not work.
> 
> If I take the firewall out of the equation it works fine.
> 
> I have gone over everything so many times that, what I am missing is
> right there in front of me but it all looks correct.
> 
> Any help to steer me in the right direction would be appreciated.
> 
> Skip
> 
>  
> 
> 
> 
> 
> ______________________________________________________________________
> _______________________________________________
> Shorewall-newbies mailing list
> Post: Shorewall-newbies at lists.shorewall.net
> Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-newbies
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm




More information about the Shorewall-newbies mailing list