[Shorewall-users] Need help with IPSEC, net view and shorewall

Tom Eastep teastep@shorewall.net
Sun, 7 Apr 2002 16:00:12 -0700 (Pacific Daylight Time)


On Sat, 6 Apr 2002, Alois Schneider wrote:

>
> Ok, I added the rules *) but the problem still exists. After some time of
> inactivity I cannot ping across the tunnel and get the following errors:
>
> *) ACCEPT		net	loc		udp	500
>    ACCEPT		net	loc		51
> and
> loc	net		ACCEPT in policy
>

If you are masquerading (or SNATing) your local network, you're going to
have to FORWARD those -- not just pass them.

ACCEPT	net	loc:<ipsec local ip>	udp	500	-	<external
ip>
ACCEPT	net	loc:<ipsec local ip>	51	-	-	<external
ip>

If you have a dynamic IP, replace <external ip> with 'all'.

-Tom
--
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net