[Shorewall-users] IpSec problem from local box to company server

Tom Eastep teastep@shorewall.net
Wed, 9 Jan 2002 12:46:25 -0800


Les,

On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to t=
he
> net is via ppp0 dial. The local network interface is eth0 which connect=
s to
> a LinkSys 10/100 switch. Most of the systems in the house are for perso=
nal
> use and don't use IpSec. They all work just fine.
>
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet I=
pSec
> client.  This all worked without a problem while I was using an older L=
inux
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kerne=
l
> and shorewall the IpSec problem started.
>
> The message log shows an incomming udp packet rejected at ablut the sam=
e
> time as the tunnel failure.  See below:
>
> Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MAC=3D SRC=3D192.128.133.43
> DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0x00 TTL=3D55 ID=3D214=
14 PROTO=3DUDP
> SPT=3D500 DPT=3D500 LEN=3D84 Shorewall:net2all:DROP:IN=3Dppp0 OUT=3D MA=
C=3D
> SRC=3D192.128.133.43 DST=3D32.226.176.107 LEN=3D104 TOS=3D0x00 PREC=3D0=
x00 TTL=3D55
> ID=3D25250 PROTO=3DUDP SPT=3D500 DPT=3D500 LEN=3D84 .... and many more =
=2E..
>
> I have not placed any entries in the /etc/shorewall/tunnels file becaus=
e it
> looked to me like that was to define tunnels with endpoints on the fire=
wall
> system.  All my tunnels should be masked from local through the firewal=
l to
> a company server somewhere in the ether.
>
> I would greatly appreciate any pointers - i.e., what am I doing wrong??=
?

I would try adding a couple of rules:

ACCEPT=09net 192.128.133.43=09loc:<thinkpad ip>=0950=09-=09-=09all
ACCEPT=09net 192.128.133.43=09loc:<thinkpad ip>=09udp=09500=090=09all

See if that helps.
-Tom
--=20
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------