[Shorewall-users] IpSec problem from local box to company ser ver

Martinez, Mike (MHS-ACS) Mike.Martinez@mhs-helpdesk.com
Wed, 9 Jan 2002 15:25:07 -0600


We also run a nortel vpn and use the Extranet Client. All of our clients
connect to everything on our network without any problems. It sits in our
DMZ on our network. In addition to Tom's rules you also need to add another
rule for the Encapsulating Security Payload (esp) protocol. 

On our firewall we have entries like this for the Extranet client on our
rules file.

ACCEPT	net			dmz		udp	500
ACCEPT	net			dmz		esp

Hope this helps

-----Original Message-----
From: Tom Eastep [mailto:teastep@shorewall.net]
Sent: Wednesday, January 09, 2002 2:46 PM
To: Les Hazelton; shorewall-users@shorewall.net
Subject: Re: [Shorewall-users] IpSec problem from local box to company


On Wednesday 09 January 2002 12:39 pm, Les Hazelton wrote:
> I have a problem with my IpSec tunnels. They work for a few minutes and
> then die.  My firewall is running shorewall 1.2.2.  The connection to the
> net is via ppp0 dial. The local network interface is eth0 which connects
> a LinkSys 10/100 switch. Most of the systems in the house are for personal
> use and don't use IpSec. They all work just fine.
> The work system is a Thinkpad running Win98-SE and a Nortell Extranet
> client.  This all worked without a problem while I was using an older
> kernel and Seawall for the firewall.  When I switched to a 2.4.17 kernel
> and shorewall the IpSec problem started.
> The message log shows an incomming udp packet rejected at ablut the same
> time as the tunnel failure.  See below:
> Shorewall:net2all:DROP:IN=ppp0 OUT= MAC= SRC=
> DST= LEN=104 TOS=0x00 PREC=0x00 TTL=55 ID=21414 PROTO=UDP
> SPT=500 DPT=500 LEN=84 Shorewall:net2all:DROP:IN=ppp0 OUT= MAC=
> SRC= DST= LEN=104 TOS=0x00 PREC=0x00 TTL=55
> ID=25250 PROTO=UDP SPT=500 DPT=500 LEN=84 .... and many more ...
> I have not placed any entries in the /etc/shorewall/tunnels file because
> looked to me like that was to define tunnels with endpoints on the
> system.  All my tunnels should be masked from local through the firewall
> a company server somewhere in the ether.
> I would greatly appreciate any pointers - i.e., what am I doing wrong???

I would try adding a couple of rules:

ACCEPT	net	loc:<thinkpad ip>	50	-	-
ACCEPT	net	loc:<thinkpad ip>	udp	500	0

See if that helps.
Tom Eastep    \ A Firewall for Linux 2.4.*
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net
Shorewall-users mailing list