-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/28/2016 09:07 AM, Tom Eastep wrote:
>
>
> Do you have nested tunnels here? Normally, ESP packets would not
> themselves require 'pol ipsec'.
>
It would probably be most useful if you would forward to me personally
the output of 'shorewall
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
On 11/28/2016 01:38 AM, John Depp wrote:
> Hello everyone! I'm using Debian, Shorewall and Stongswan on my
> linux routers. It seems Shorewall don't allow input of ESP packets,
> formed by ipsec initiated by Strongswan.
>
> I have the following line
I do have ipsec zone, and it compiles to rules all right:
5 380 vpnpx-fw all -- * * 192.168.0.0/16 0.0.0.0/0
policy match dir in pol ipsec mode tunnel
it's external IPs and ESP packets I have trouble with.
Thank you.
2016-11-28 16:07 GMT+03:00 Bill Shirley <
b...@ul
Arrg, sorry:
#ZONE TYPE OPTIONS IN OUT
sfn ipsec
Bill
On 11/28/2016 8:07 AM, Bill Shirley wrote:
> Try type ipsec in your zones file:
> #ZONE TYPE OPTIONS IN OUT
> sfn
From: Tom Eastep
> Configure ipset-based dynamic blacklisting:> >
> DYNAMIC_BLACKLIST=ipset-only,timeout=3600::info
>
> then put this at the bottom of your rules:
>
> ADD(SW_DBL4,src)net$FW
I believe the seperator is : instead of ,.
I have this now
Try type ipsec in your zones file:
#ZONE TYPE OPTIONS IN OUT
sfn ipv4
It generates:
0 0 fw-sfn all -- * * 0.0.0.0/0192.168.4.0/24
policy match dir out pol ipsec
Bill
On 11/28/2016 4:38 AM,
Hello everyone!
I'm using Debian, Shorewall and Stongswan on my linux routers.
It seems Shorewall don't allow input of ESP packets, formed by ipsec
initiated by Strongswan.
I have the following line tunnels:
#TYPE ZONEGATEWAY GATEWAY_ZONE
ipsec net xx.x
