Simon Cruickshank wrote: > > My configuration files are : >
In the future, please post the output of "shorewall dump" collected as described at http://www.shorewall.net/support.htm#Guidelines. Those guidelines go on to say: Please DO NOT INCLUDE SHOREWALL CONFIGURATION FILES unless you have specifically asked to do so. The output of shorewall dump collected as described above is much more useful. From what little you have told us it appears that your kernel is behaving like a 2.6 kernel that doesn't include policy match support or the IPSEC-Netfilter patches. I haven't kept up with 2.4 kernels in general and Debian 2.4 kernels in particular so I don't know what features have been back-ported from 2.6. Here's the log entry that you posted: > Shorewall:rfc1918:DROP:IN=eth2 OUT=eth0 SRC=2.2.2.1 DST=192.168.20.1 > LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=802 DP PROTO=TCP SPT=1052 DPT=23 > ... Note that the IN device is eth2, not ipsec0. Is there even an ipsec0 device being created when you establish IPSEC SAs with the remote gateway? I rather doubt it. With a 2.6 kernel with policy match support, decrypted packets like that are not subject to rfc1918 filtration so that 'norfc1918' may be safely specified on the external interface -- such is not the case without policy match support. You also go on to report that "If I take the norfc1918 out of the interfaces file I get a similar message but this time caught in the net2loc (policy) rule". This again suggests that your kernel has PF_KEY-based ipsec (kernel 2.6) support. Given these hints, I would guess that you need to configure IPSEC as described at http://www.shorewall.net/IPSEC.htm but that you should follow the kernel 2.6 instructions rather than the kernel 2.4 instructions. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
