On Tue, 30 Apr 2002, Eric B Kiser wrote: > I have finally gotten the opportunity to test this out... > > I added these lines to the bottom /etc/shorewall/rules and I am still unable > to connect to my IPsec endpoint on the other side of my Bering box. These > are the only modifications from the default install of Bering. > > ACCEPT net loc udp 500 > ACCEPT loc net udp 500 > ACCEPT net loc 50,51 all > ACCEPT loc net 50,51 all > > Did I miss something? > Put these in the wrong place? > um ...?
Theww things: a) If you are using NAT or Masquerade, you must use port forwarding rules for net->loc. b) In that case, you don't need to pass protocol 51 since ESP and NAT don't mix. c) The default Bering loc->net policy is ACCEPT so your loc->net rules are just so much extra noise. The port forward rules would look like: ACCEPT net loc:<local endpoint ip> udp 500 - all ACCEPT net loc:<local endpoint ip> 50 - - all -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
