>Sorry -- I picked the wrong field out of the MAC address in the >'Shorewall' message.
Yes your are right. One MAC is from ETH0, other from my hw router. >The Shorewall-generated ruleset is rejecting the packet because the only >connections that you allow from the local net to the firewall are ping >and SSH (I just got the 'status' output). I now allow also UDP. I dont get any error on shorewall report logs. But it still doesnt work. Both routers use NAT-T. >I don't know why your interior router is sending that packet. I can only >guess that the two IPSEC endpoints are failing to recognize that NAT is >taking place (is the router at the other end configured for NAT-T?) so >they negotiate an SA without it. Once an SA is negotiated, ISAKMP (UDP >500) packets can be sent through the encrypted tunnel if the SA involves >both endpoints. When your internal router gets the first of these (which >has not undergone DNAT) it of course doesn't recognize that the packet >is really meant for it so it does what routers do -- it forward the >packet to its default gateway (your firewall). Can you suggest anything I cant do/test? Did you recive tcpdump in my mail (for ETH0 and DSL0) ? Scorpy ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
