Tom, thanks for getting back to me so quickly yesterday. I have success! I am using NAT and these rules...
ACCEPT net loc udp 500 ACCEPT net loc 50 all Thanks for your help, works like a charm. /Eric -----Original Message----- From: Tom Eastep [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 8:15 PM To: Eric B Kiser Cc: [EMAIL PROTECTED] Subject: Re: [leaf-user] Testing IPsec pass-through On Tue, 30 Apr 2002, Eric B Kiser wrote: > I have finally gotten the opportunity to test this out... > > I added these lines to the bottom /etc/shorewall/rules and I am still unable > to connect to my IPsec endpoint on the other side of my Bering box. These > are the only modifications from the default install of Bering. > > ACCEPT net loc udp 500 > ACCEPT loc net udp 500 > ACCEPT net loc 50,51 all > ACCEPT loc net 50,51 all > > Did I miss something? > Put these in the wrong place? > um ...? Theww things: a) If you are using NAT or Masquerade, you must use port forwarding rules for net->loc. b) In that case, you don't need to pass protocol 51 since ESP and NAT don't mix. c) The default Bering loc->net policy is ACCEPT so your loc->net rules are just so much extra noise. The port forward rules would look like: ACCEPT net loc:<local endpoint ip> udp 500 - all ACCEPT net loc:<local endpoint ip> 50 - - all -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED]
