[Shorewall-users] Need help with IPSEC, net view and shorewall

Alois Schneider alois@sillian.com
Fri, 05 Apr 2002 23:25:32 +0200


--On Freitag, 5. April 2002 12:55 -0800 Tom Eastep <teastep@shorewall.net> 
wrote:

> On Fri, 5 Apr 2002, Alois Schneider wrote:
>
>> > You need UDP port 500 and protocols 51 and 51 open to this user's
>> > system. After a period of inactivity, either end of a VPN tunnel can
>> > suddenly become active; if iptables connection tracking has timed out
>> > the connection and the remote end is the first to speak, you will see
>> > problems like you describe.
>>
>> Where do I have to open UDP port 500 and protocols 51?
>>
>
> In the rules file.
>

I have the following configuration:

interfaces:
#ZONE    INTERFACE      BROADCAST       OPTIONS
net     eth0    x.x.x.x          norfc1918
loc     tr0        192.168.1.255          routestopped
dmz     eth1   192.168.10.255        routestopped
loc	ipsec0

zones:
net	Net		Internet
loc	Local	Local Networks
dmz	DMZ	Demilitarized zone

are these rules correct?
ACCEPT		loc	net		udp	500
ACCEPT		loc	net		51

or do I neede the rules the other way round?

Thank you for your help,
ALois