Brian Neu wrote: > > Any good reason why my DNAT rule would just be ignored?
Have you followed the DNAT debugging steps listed in Shorewall FAQs 1a and 1b? > The ones for UDP 500 and 4500 are obviously working, because the secure > log on the VPN server shows the activity -- but then packets coming > through in ESP are getting rejected at the firewall. > > # rpm -q shorewall > shorewall-3.2.8-5 > > # rpm -q kernel > kernel-2.6.18-1.2257.fc5 > > > > I tried asking with the swdump, but the email never showed up. > > Sorry if this is too vague. Out of time. You mention UDP 4500 so I assume that you are using NAT traveral. If that is the case, you should never see ESP packets at all; they should all be encapsulated in UDP 4500. So I have no idea what your problem is. FWIW: I could never understand FreeSwan/OpenSwan/xxxSwan -- I finally got it working but I suspect it was pure dumb luck, the quarter of the moon, and what I had for breakfast that morning. That's why you find no reference to those products on shorewall.net. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
