[Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread John Depp
Hello everyone! I'm using Debian, Shorewall and Stongswan on my linux routers. It seems Shorewall don't allow input of ESP packets, formed by ipsec initiated by Strongswan. I have the following line tunnels: #TYPE ZONEGATEWAY GATEWAY_ZONE ipsec net xx.x

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread Bill Shirley
Try type ipsec in your zones file: #ZONE TYPE OPTIONS IN OUT sfn ipv4 It generates: 0 0 fw-sfn all -- * * 0.0.0.0/0192.168.4.0/24 policy match dir out pol ipsec Bill On 11/28/2016 4:38 AM,

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread Bill Shirley
Arrg, sorry: #ZONE TYPE OPTIONS IN OUT sfn ipsec Bill On 11/28/2016 8:07 AM, Bill Shirley wrote: > Try type ipsec in your zones file: > #ZONE TYPE OPTIONS IN OUT > sfn

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread John Depp
I do have ipsec zone, and it compiles to rules all right: 5 380 vpnpx-fw all -- * * 192.168.0.0/16 0.0.0.0/0 policy match dir in pol ipsec mode tunnel it's external IPs and ESP packets I have trouble with. Thank you. 2016-11-28 16:07 GMT+03:00 Bill Shirley < b...@ul

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread Tom Eastep
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/28/2016 01:38 AM, John Depp wrote: > Hello everyone! I'm using Debian, Shorewall and Stongswan on my > linux routers. It seems Shorewall don't allow input of ESP packets, > formed by ipsec initiated by Strongswan. > > I have the following line

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-28 Thread Tom Eastep
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/28/2016 09:07 AM, Tom Eastep wrote: > > > Do you have nested tunnels here? Normally, ESP packets would not > themselves require 'pol ipsec'. > It would probably be most useful if you would forward to me personally the output of 'shorewall

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-29 Thread Tom Eastep
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 11/28/2016 10:19 AM, Tom Eastep wrote: > On 11/28/2016 09:07 AM, Tom Eastep wrote: > > > >> Do you have nested tunnels here? Normally, ESP packets would not >> themselves require 'pol ipsec'. > > > It would probably be most useful if you wou

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-11-30 Thread John Depp
Sorry for delay I'm pretty sure those proto 4 IPIP is ESP packets - I was using ping for testing and was capturing them with tshark, and they were marked ESP there. 2016-11-30 1:24 GMT+03:00 Tom Eastep : > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > On 11/28/2016 10:19 AM, Tom Eastep

Re: [Shorewall-users] shorewall and Strongswan - possible incompatibility?

2016-12-03 Thread Tuomo Soini
On Wed, 30 Nov 2016 13:30:46 +0300 John Depp wrote: > Sorry for delay > I'm pretty sure those proto 4 IPIP is ESP packets - I was using ping > for testing and was capturing them with tshark, and they were marked > ESP there. ipcomp causes that. If you want to allow that, you need to add followi