[Shorewall-users] IpSec problem from local box to company server
Wed, 9 Jan 2002 16:21:05 -0500
WOW! Talk about fast responce. Thanks Tom. I am testing it now. I should
know in a few minutes. I scanned more of my logs and found several
addresses in the 192.128. net in the reject messages. I am sure it is a
I entered the rules as;
ACCEPT net:188.8.131.52/16 loc:192.168.0.5 ....
Thanks for the help - greatly appreciated.
----- Original Message -----
From: "Tom Eastep" <firstname.lastname@example.org>
To: "Les Hazelton" <email@example.com>; <firstname.lastname@example.org>
Sent: Wednesday, January 09, 2002 3:46 PM
Subject: Re: [Shorewall-users] IpSec problem from local box to company
On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die. My firewall is running shorewall 1.2.2. The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don't use IpSec. They all work just fine.
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet
> client. This all worked without a problem while I was using an older
> kernel and Seawall for the firewall. When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure. See below:
> Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=184.108.40.206
> DST=220.127.116.11 LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP
> SPT=500 DPT=500 LEN=84 Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
> SRC=18.104.22.168 DST=22.214.171.124 LEN=104 TOS=0x00 PREC=0x00 TTL=55
> ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84 .... and many more ...
> I have not placed any entries in the /etc/shorewall/tunnels file because
> looked to me like that was to define tunnels with endpoints on the
> system. All my tunnels should be masked from local through the firewall
> a company server somewhere in the ether.
> I would greatly appreciate any pointers - i.e., what am I doing wrong???
I would try adding a couple of rules:
ACCEPT net 126.96.36.199 loc:<thinkpad ip> 50 - - all
ACCEPT net 188.8.131.52 loc:<thinkpad ip> udp 500 0 all
See if that helps.
Tom Eastep \ A Firewall for Linux 2.4.*
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ email@example.com
Shorewall-users mailing list