[Shorewall-users] Need help with IPSEC, net view and shorewall

Tom Eastep teastep@shorewall.net
Fri, 5 Apr 2002 13:56:23 -0800 (Pacific Standard Time)


On Fri, 5 Apr 2002, Alois Schneider wrote:

>
>
> --On Freitag, 5. April 2002 12:55 -0800 Tom Eastep <teastep@shorewall.net>
> wrote:
>
> > On Fri, 5 Apr 2002, Alois Schneider wrote:
> >
> >> > You need UDP port 500 and protocols 51 and 51 open to this user's
> >> > system. After a period of inactivity, either end of a VPN tunnel can
> >> > suddenly become active; if iptables connection tracking has timed out
> >> > the connection and the remote end is the first to speak, you will see
> >> > problems like you describe.
> >>
> >> Where do I have to open UDP port 500 and protocols 51?
> >>
> >
> > In the rules file.
> >
>
> I have the following configuration:
>
> interfaces:
> #ZONE    INTERFACE      BROADCAST       OPTIONS
> net     eth0    x.x.x.x          norfc1918
> loc     tr0        192.168.1.255          routestopped
> dmz     eth1   192.168.10.255        routestopped
> loc	ipsec0
>
> zones:
> net	Net		Internet
> loc	Local	Local Networks
> dmz	DMZ	Demilitarized zone
>
> are these rules correct?
> ACCEPT		loc	net		udp	500
> ACCEPT		loc	net		51
>
> or do I neede the rules the other way round?
>

Assuming that your loc->net policy is ACCEPT, you need the rules the other
way around.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net