Scorpy wrote: > >> What does that mean? Does in mean that you assigned an RFC 1918 address >> to the WAN port and set the router's default gateway to the IP address >> of the internal interface on your linux box? > > Yes, that is correct. > >> Hopefully the router's VPN supports NAT-T(Nat traversal) and you have >> configured the VPN to use it; otherwise, this probably won't work at all). > > Hmm dont know yet.
Since you are NATing the connection, you should only be DNATing UDP port
500 and 4500 to the internal router for VPN traffic. Again, there is
very little chance if it working without NAT-T. The two IPSEC endpoints
will determine that there is at least one NAT router between them and
will encapsulate the ESP packets in UDP 4500 packets. AH cannot be used
in this configuration.
> I can see that the packets which i sent get to the other
> side. The problem is that the packets i recive dont reach the hw router on
> this side. I keep getting reject log on internal interface of linux box, for
> udp packets.
And on the INTERNAL interface? If so, it sounds like your internal and
external interfaces are somehow bridged.
> The internet is working fine from this router.
>
>> Did you add an SNAT rule (/etc/shorewall/masq) so that traffic from this
>> router appears to come from that external IP address?
>
> Hmm. No i didnt. I just set DNAT rule in "rules" like this:
> DNAT net:$other_hw_router loc:local_ip_of_my_hw_router udp 500
>
> Can you write me the code for "masq"?
Do you only have one external IP address (193.x.x.x)? If so, your
existing MASQ/SNAT entry in /etc/shorewall/masq is all you need.
>> The traffic that is being logged is coming INTO your firewall on eth0 --
>> it isn't a response from '...the other side'.
>
> But why do I get reject error then? (85.x.x.x is the HW router on other
> side; 193.x.x.x. is the linux box)
>
How could we possibly know? We can't see your ruleset. And you are so
tight-fisted with details, you won' even tell us what your external IP
address is (even though everyone on the list already knows what it is
and could care less). Shorewall 2.2 supports a "shorewall status"
command -- if you send us the output of that command (as a compressed
attachment), it will help although the information in that command is
not nearly so complete and helpful as the output of "shorewall dump" in
later versions.
My guess is that you have 'detectnets' specified on eth0 in
/etc/shorewall/interfaces so that packets from 85.x.x.x aren't in the
'loc' zone (see Shorewall FAQ 17).
> Shorewall:all2all:REJECT:IN=eth0 OUT=
>> MAC=00:40:f4:b2:94:96:00:19:cb:2c:df:87:08:00 SRC=85.x.x.x DST=193.x.x.x
>> LEN=104 TOS=0x00 PREC=0x00 TTL=245 ID=36536 PROTO=UDP SPT=500 DPT=500
> LEN=84
>
But that still begs the question about why the above packet is showing
up on your internal interface in the first place -- it should be
arriving on your internal interface).
Again, it looks to me kind your internal and external interfaces may be
bridged.
What is the sequence of packets that you are seeing? Is it:
1) internal router->remote router UDP 500
2) <message above>
Or do you see packets (including ESP) go back and forth and THEN you get
the message?
-Tom
>
>> I don't either -- but then you really haven't given us anything to go on
>> (no Shorewall configuration or dump -- oh, Shorewall 2.2 didn't even
>> have a 'dump' command. You really should upgrade....).
>
>> I have accept rules for all port and tcp, udp, ah and esp for NET:IP to
>> FW and NET:IP to LOC.
ACCEPT rules from net->fw are not required here. And the NET->LOC rules
must be DNAT rules.
>>
>> DNAT is created for NET:IP to LOC:IP for all ports and all protocols.
>
>> Again, what about SNAT?
>
> Hmmm. Not sure what you are trying to say. Do you mean what you mentioned
> above about "masq"? I know this kind of questions are stupid, but please
> give me more hints.
Again, if you only have one external IP address then you already have
the necessary entry in /etc/shorewall/masq.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
