I have 30 odd permanent vpns running pure ipsec over KLIPS, the openswan option
erroneously called 2.4 kernel in the shorewall documentation. It still works
way better than NETKEY. Switching over to KLIPS from NETKEY after using it for
years solved innumerable problems with workstations not staying connected to
the samba 3.x domain. I only include this bit of info here to avoid people
replying to me with "switch over to NETKEY and come out of the dark ages." It's
not going to happen.
But now I want to implement l2tp/ipsec and shorewall documentation suffers as
regards this configuration and any help would be appreciated. Basically
incoming lt2p traffic authenticates fine as regards ipsec, but then there is
nothing. dmesg reports martians on interface ipsec0 and xl2tpd never processes
the request.
my tunnels file includes a reference to
l2tp L2TP 0.0.0.0/0 VPN
So that VPN is the gateway zone.
and I've got the rules set like so.
L2TP(REJECT):info SHAW $FW
REJECT $FW SHAW udp - 1701
# l2tp over the IPsec VPN
ACCEPT VPN $FW udp 1701
As I understand it with KLIPS, you don't declare that the zone is ipsec,
because the traffic is delivered unencrypted to the kernel from an 'interface'
ipsec0. interfaces declares ipsec+ to be part of the VPN zone, so, per the
above rule, the $FW system should accept traffic from VPN on udp 1701 but isn't.
------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
