On Saturday 19 May 2007 16:52, Tom Eastep wrote: > Steven Jan Springl wrote: > > On Saturday 19 May 2007 15:58, Tom Eastep wrote: > >> Steven Jan Springl wrote: > >>> On Saturday 19 May 2007 15:49, Tom Eastep wrote: > >>>> Steven Jan Springl wrote: > >>>>> On Saturday 19 May 2007 15:33, Tom Eastep wrote: > >>>>>> Tom Eastep wrote: > >>>>>>> Steven Jan Springl wrote: > >>>>>>>> Tom > >>>>>>>> > >>>>>>>> Having never used IPSEC, I don't know if this is a bug or I'm > >>>>>>>> missing something. > >>>>>>>> > >>>>>>>> Masq file entry: > >>>>>>>> > >>>>>>>> eth0 192.168.0.0/16 - - - strict,next > >>>>>>>> > >>>>>>>> produces error: > >>>>>>>> > >>>>>>>> iptables-restore v1.3.6: policy match: empty policy element > >>>>>>>> > >>>>>>>> Coding 'strict,next' in the zones file works. > >>>>>>> > >>>>>>> 'strict' and 'next' are only applicable when multiple policies are > >>>>>>> strung together. I'll investigate what is going on in the zones > >>>>>>> file since "strict,next" shouldn't work there either. > >>>>>> > >>>>>> Did you just use "strict,next" and nothing else in the zones file? > >>>>>> That shouldn't work either according to the rules generated. > >>>>>> > >>>>>> -Tom > >>>>> > >>>>> Tom > >>>>> > >>>>> My zones file is attached. > >>>> > >>>> Are the zones non-empty? > >>>> > >>>> -Tom > >>> > >>> Tom > >>> > >>> wan has an entry in the interfaces file, but vpn does not, and is > >>> reported as empty at shorewall startup. > >> > >> Then I don't understand why it worked. Please send me the generated > >> firewall script > >> > >> Thanks, > >> -Tom > > > > Tom > > > > Sorry, I have messed around with the zones file since reporting the > > problem. The only zone entry that works with "strict,next" is one that is > > empty (vpn). > > A valid sequence using 'strict' and 'next' would be: > > proto=esp,strict,next,proto=ah > > That would encapsulate in ESP then in AH. > > -Tom
Tom Thanks, I will use that to do some further testing. Steven. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
