[Shorewall-users] IpSec problem from local box to company server
Wed, 9 Jan 2002 12:46:25 -0800
On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die. My firewall is running shorewall 1.2.2. The connection to t=
> net is via ppp0 dial. The local network interface is eth0 which connect=
> a LinkSys 10/100 switch. Most of the systems in the house are for perso=
> use and don't use IpSec. They all work just fine.
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet I=
> client. This all worked without a problem while I was using an older L=
> kernel and Seawall for the firewall. When I switched to a 2.4.17 kerne=
> and shorewall the IpSec problem started.
> The message log shows an incomming udp packet rejected at ablut the sam=
> time as the tunnel failure. See below:
> Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D SRC=3D22.214.171.124
> DST=3D126.96.36.199 LEN=3D104 TOS=3D0x00 PREC=3D0x00 TTL=3D55 ID=3D214=
> SPT=3D500 DPT=3D500 LEN=3D84 Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MA=
> SRC=3D188.8.131.52 DST=3D184.108.40.206 LEN=3D104 TOS=3D0x00 PREC=3D0=
> ID=3D25250 PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84 .... and many more =
> I have not placed any entries in the /etc/shorewall/tunnels file becaus=
> looked to me like that was to define tunnels with endpoints on the fire=
> system. All my tunnels should be masked from local through the firewal=
> a company server somewhere in the ether.
> I would greatly appreciate any pointers - i.e., what am I doing wrong??=
I would try adding a couple of rules:
ACCEPT=09net 220.127.116.11=09loc:<thinkpad ip>=0950=09-=09-=09all
ACCEPT=09net 18.104.22.168=09loc:<thinkpad ip>=09udp=09500=090=09all
See if that helps.
Tom Eastep \ A Firewall for Linux 2.4.*
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ firstname.lastname@example.org