Tom Eastep schrieb: > On 9/5/10 11:03 AM, Boris wrote: >> Hej all, >> >> >> I know there are shorewall gurus inside here and my appliance is absed >> on leaf, so I'm going to ask the following here in this list: >> >> I have a leaf box (R1) that is openvpn (tun0) client (on non-standard >> port 1195) to another leaf box (R2). On R1 there is also a openvpn >> server (tun1) running (on standard port 1194). There are networks behind >> those routers (N1 and N2). They are full transparent through the tun0. >> >> When I connect to R1 with a roadwarrior through tun1, I can ping N1 but >> not N2. From shorewall log I get this: >> >> Sep 5 17:51:21 nordgate2 Shorewall:FORWARD:REJECT: IN=tun0 OUT=tun1 >> MAC= SRC=10.9.1.6 DST=192.168.22.101 LEN=84 TOS=00 PREC=0x00 TTL=63 ID=0 >> DF PROTO=ICMP TYPE=8 CODE=0 ID=46350 SEQ=1 >> >> (I might have switched tun0 and tun1 in this description). I cannot >> allow the traffic between the two tunnels because I don't have separate >> zones for them. In /etc/shorewall/zones there is >> vpn tun+ > > No -- that is in /etc/shorewall/interfaces :-) > >> >> This seems allright, because tun0 and tun1 are definded dynamically. >> >> So: How to handle?? >> > > Add the 'routeback' option to that entry. > > -Tom >
Hej Tom, hej all, I was hoping you would answer... :-) And yes, the FORWARD:REJECT: is gone! There is another problem which makes that I cannot ping from Roadwarrior to N2 but I have to analyze that before I can ask again (or possibly solve it by myself)! Thanks very much, Boris ------------------------------------------------------------------------------ This SF.net Dev2Dev email is sponsored by: Show off your parallel programming skills. Enter the Intel(R) Threading Challenge 2010. http://p.sf.net/sfu/intel-thread-sfd ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
