Götz Reinicke wrote: > So far the gateways can communicate through our shorewall (ping, > tracerout, https-access), but the VPN ID is wrong (thats the information > I do get from the remote admin.).
You are getting information second-hand. We are now getting this information third-hand. Each layer makes it more difficult. > The remote connection is established to the public ip aaa.aaa.aaa.aaa, > but the response is from the private ip bbb.bbb.bbb.bbb. This sounds very similar to a problem I experienced. For reference, here is the previous discussion. http://thread.gmane.org/gmane.comp.security.shorewall/15050/focus=15061 In my case packets destination addresses were getting translated but source addresses were not. I needed both. In that previous discussion I asked: > > > Shouldn't the source address have been translated to be from 10.1.0.1? Tom answered: > > No. > > ...later in another message... > > The rewriting of the source address in a packet (SNAT) is *always* a > > work-around for some sort of inadequate routing and Shorewall doesn't > > assume that the whole world has broken routing. (I still disagree that this is a workaround for a routing problem but that is another discussion. However understanding how this control is split into two pieces allowed me to do what I wanted regardless and all is happy now.) With this knowledge everything fell into place for me. I needed both a DNAT- entry in the rules file and an entry in the masq file so that translations would occur to packets both source and destination. Tom suggested: > > So you could rewrite your nat entry as: > > /etc/shorewall/masq: > > eth0 10.1.0.2 15.6.88.149 > > /etc/shorewall/rules: > > DNAT- net loc:10.1.0.2 - - - 15.6.88.149 Your situation sounds similar when you say that the response is coming from the private IP address and is not getting translated. Therefore perhaps you have fallen into the same situation? There was not enough information to really know what was going on with your case but I will offer this as one possibility because to me it "smelled" the same. Bob ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
