Re: [Shorewall-users] ipsec tunnel doesn't reestablish because of getting dropped by iptables/shorewall

Sun, 05 Jan 2014 11:57:34 -0800 

On 1/5/2014 9:52 AM, Axel Zöllich wrote:
> hosts:
> pktgh   eth4:192.168.223.0/24,212.117.77.202    ipsec
> pktgh   eth4:192.168.3.0/24,212.117.77.202      ipsec
> 
> rules:
> ACCEPT          pktgh:212.117.77.202    $FW
> 
> rules:
> 0x200:P -               212.117.77.202
> 0x200   $FW             212.117.77.202
> 
> The IPSEC tunnel between 212.117.77.202 and the remote station gets 
> established and workes well.
> But it doesn't get restablished.
> 
> Jan  2 18:30:50 router-pikt-1 kernel: [1258504.573780] 
> Shorewall:net2fw:DROP:IN=eth4 OUT= 
> MAC=a0:36:9f:28:42:e9:00:12:ef:61:2e:7c:08:00 SRC=212.117.77.202 
> DST=212.117.77.218 LEN=1036 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP 
> SPT=500 DPT=500 LEN=1016 MARK=0x200
> 
> Allready deleting the SA is blocked by shorewall:
> 
> Jan  5 18:32:43 router-pikt-1 kernel: [1517561.605683] 
> Shorewall:net2fw:DROP:IN=eth4 OUT= 
> MAC=a0:36:9f:28:42:e9:00:12:ef:61:2e:7c:08:00 SRC=212.117.77.202 
> DST=212.117.77.218 LEN=100 TOS=0x00 PREC=0x00 TTL=61 ID=0 DF PROTO=UDP 
> SPT=4500 DPT=4500 LEN=80 MARK=0x200
> 
> 
> conntrack -L shows one connection left over:
> unknown  50 459 src=212.117.77.218 dst=212.117.77.202 src=212.117.77.202 
> dst=212.117.77.218 mark=512 use=1

I won't try to guess without seeing the output of 'shorewall dump'.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to