Wouter Amsterdam wrote:
dump file (attached) and took some time analyzing it.
> In the 10th line of the Conntrack Table there seems to be some sort of
communication between my firewall's external IP and an internal IP at
> the remote site (vpn21) which is [UNREPLIED]. Does this mean traffic > is going into the tunnel to the remote site, but does not return?
The support guidelines clearly state that you should clear the netfilter counters, try the failing connection, take the dump, and explain in the report what you tried and how it failed. All we have here is a dump and an observation about a particular connection so I can only tell you that the [UNREPLIED] entry is an attempt to connect from 212.115.197.253 to 192.168.21.51. There is no security policy covering that connection so the traffic DID NOT GO THROUGH THE TUNNEL. Given that it was addressed to an RFC 1918 address, the packet was simply dropped when or before it reached the internet core routers.
If you look down in the section of the dump titled PFKEY SPD, you will see all of the Security Policies that you have defined. The only one with source 212.115.197.253 is from gateway to gateway. So the other gateway is the only host that this gateway can communicate with through the tunnel.
As spelled out in the Shorewall IPSEC 2.6 documentation, it takes 8 security policies to completely cover the combinations when connecting two local subnets via IPSEC.
I can see no reason that zones loc6 and loc7 should not be able communicate with the remote network. Note though that you can totally eliminate Shorewall from the issue by doing 'shorewall clear' then trying to communicate. If that doesn't work then your Shorewall configuration is not the immediate cause of the problem. Be sure to 'shorewall start' after the test since your firewall will be wide open after the 'shorewall clear'.
-Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
