[Shorewall-users] IpSec problem from local box to company server

Les Hazelton seawolf@attglobal.net
Wed, 9 Jan 2002 16:21:05 -0500

WOW! Talk about fast responce.  Thanks Tom.  I am testing it now.  I should
know in a few minutes.  I scanned more of my logs and found several
addresses in the 192.128. net in the reject messages.  I am sure it is a
server farm.

I entered the rules as;

ACCEPT net:  loc: ....

Thanks for the help - greatly appreciated.

Les Hazelton

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Les Hazelton" <seawolf@attglobal.net>; <shorewall-users@shorewall.net>
Sent: Wednesday, January 09, 2002 3:46 PM
Subject: Re: [Shorewall-users] IpSec problem from local box to company


On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don't use IpSec. They all work just fine.
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet
> client.  This all worked without a problem while I was using an older
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure.  See below:
> Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=
> DST= LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP
> SPT=500 DPT=500 LEN=84 Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
> SRC= DST= LEN=104 TOS=0x00 PREC=0x00 TTL=55
> ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84 .... and many more ...
> I have not placed any entries in the /etc/shorewall/tunnels file because
> looked to me like that was to define tunnels with endpoints on the
> system.  All my tunnels should be masked from local through the firewall
> a company server somewhere in the ether.
> I would greatly appreciate any pointers - i.e., what am I doing wrong???

I would try adding a couple of rules:

ACCEPT net loc:<thinkpad ip> 50 - - all
ACCEPT net loc:<thinkpad ip> udp 500 0 all

See if that helps.
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
Shorewall-users mailing list