Tom,
I am still a newbie here and I wanted to make sure that I understood what
you meant so here is where I am at on this.
What you suggested was this [1]:
ACCEPT net loc:<local endpoint ip> udp 500 - all
ACCEPT net loc:<local endpoint ip> 50 - - all
I decided not to include the endpoint ip address because I wanted be able to
use any machine on my local network. So... I did this [2]:
ACCEPT net loc udp 500
ACCEPT net loc 50 all
Following your suggestion of how I can identify the difference I used the
command "shorewall show net2loc". Below was my process:
ReBOOT with Rule [1] in place.
make ipsec connection
break ipsec connection
run "shorewall show net2loc"
record results (see [1] below)
modify shorewall config to use Rule [2]
backup config
ReBOOT with Rule [2] in place
make ipsec connection
break ipsec connection
run "shorewall show net2loc"
record results (see [2] below)
results from [1] this connection was only up for a couple of minutes.
# shorewall show net2loc
Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 15:42:01 UTC 2002
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
27 4277 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
192.168.1.10 state NEW udp dpt:500
1 88 ACCEPT esp -- * * 0.0.0.0/0
192.168.1.10 state NEW
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
results from [2] this connection was up for 25 minutes.
# shorewall show net2loc
Shorewall-1.2.8 Chain net2loc at firewall - Thu May 2 16:12:20 UTC 2002
Chain net2loc (1 references)
pkts bytes target prot opt in out source
destination
1331 156K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW udp dpt:500
0 0 ACCEPT esp -- * * 0.0.0.0/0
0.0.0.0/0 state NEW
0 0 net2all all -- * * 0.0.0.0/0
0.0.0.0/0
The only difference here are the esp (protocol: 50) packets that were
logged. Is this the difference that you were expecting me to find. I am not
in control of the other end. Would you typically expect that a rekeying
attempt would have been made in the 25 minutes that I had left the tunnel
up?
Thanks for your assistance thus far.
/Eric
-----Original Message-----
From: Tom Eastep [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 01, 2002 11:24 AM
To: Eric B Kiser
Cc: [EMAIL PROTECTED]
Subject: RE: [leaf-user] Testing IPsec pass-through
On Wed, 1 May 2002, Eric B Kiser wrote:
> Since installing Bering 1.0-rc1 the only thing that I have changed in my
> shorewall config is adding the lines below. My understanding is that this
is
> not static since it is my single publicly routable address on one side and
I
> have three workstations using 192.168.1.x on the other side. Is static NAT
> the same as a 1:1 mapping?
>
Yes -- in that case, I doubt that the rules that you posted have any
effect. Most people using IPSEC have found that they also need incoming
rules that forward UDP 500 and protocol 50 to the endpoint (as I
recommended in a previous post). Without such rules, the tunnel will
eventually die during a re-keying attempt.
Look at the output of "shorewall show net2loc" -- I'm betting that the
packet counts for those rules are zero.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ [EMAIL PROTECTED]
_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: [EMAIL PROTECTED]
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
