[Shorewall-users] IpSec problem from local box to company server

Les Hazelton seawolf@attglobal.net
Wed, 9 Jan 2002 16:21:05 -0500


WOW! Talk about fast responce.  Thanks Tom.  I am testing it now.  I should
know in a few minutes.  I scanned more of my logs and found several
addresses in the 192.128. net in the reject messages.  I am sure it is a
server farm.

I entered the rules as;

ACCEPT net:192.128.0.0/16  loc:192.168.0.5 ....

Thanks for the help - greatly appreciated.

Les Hazelton

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Les Hazelton" <seawolf@attglobal.net>; <shorewall-users@shorewall.net>
Sent: Wednesday, January 09, 2002 3:46 PM
Subject: Re: [Shorewall-users] IpSec problem from local box to company
server


Les,

On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects
to
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don't use IpSec. They all work just fine.
>
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet
IpSec
> client.  This all worked without a problem while I was using an older
Linux
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
>
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure.  See below:
>
> Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=192.128.133.43
> DST=32.226.176.107 LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP
> SPT=500 DPT=500 LEN=84 Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
> SRC=192.128.133.43 DST=32.226.176.107 LEN=104 TOS=0x00 PREC=0x00 TTL=55
> ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84 .... and many more ...
>
> I have not placed any entries in the /etc/shorewall/tunnels file because
it
> looked to me like that was to define tunnels with endpoints on the
firewall
> system.  All my tunnels should be masked from local through the firewall
to
> a company server somewhere in the ether.
>
> I would greatly appreciate any pointers - i.e., what am I doing wrong???

I would try adding a couple of rules:

ACCEPT net 192.128.133.43 loc:<thinkpad ip> 50 - - all
ACCEPT net 192.128.133.43 loc:<thinkpad ip> udp 500 0 all

See if that helps.
-Tom
--
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
-------------------------------------------
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users