Re: [Shorewall-users] IPSec/L2TP client troubleshooting

Wed, 17 Jun 2015 09:04:49 -0700 

On 6/16/2015 9:44 PM, Иван Иванов wrote:
> Hello.
>
> I have remote server (Ubuntu 14.04, Shorewall 4.5.21) with one
> physical interface eth0. This server is IPSEC/L2TP client.
> L2TP tunnel interface:
> ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1410 qdisc
> pfifo_fast state UNKNOWN group default qlen 3
>     link/ppp
>     inet 192.168.1.160 peer 192.168.1.254/32 <http://192.168.1.254/32>
> scope global ppp0
>        valid_lft forever preferred_lft forever
>
> Shorewall config.
> Interfaces:
> -       lo              ignore
> net     eth0            dhcp,physical=+,routeback,optional,routefilter
> l2tp    ppp0
>
> Zones:
> fw              firewall
> net             ipv4
> vpn             ipsec
> l2tp            ipv4
>
> Tunnels:
> ipsec                   net     xx.xx.xx.xx                    vpn
>
> Hosts:
> vpn     eth0:0.0.0.0/0 <http://0.0.0.0/0>
>
> Policy:
> $FW     all     ACCEPT
> vpn     net     NONE
> net     vpn     NONE
> l2tp    all     ACCEPT
> net     all     DROP            info
> all     all     REJECT          info
>
> When l2tp tunnel is up, traffic through ppp0 counts as net2fw.
> Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC=
> SRC=192.168.1.1 DST=192.168.1.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> ID=63204 DF PROTO=TCP SPT=57205 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0
> Jun 17 18:05:06 server kernel: Shorewall:net2fw:DROP:IN=ppp0 OUT= MAC=
> SRC=192.168.1.1 DST=192.168.1.160 LEN=60 TOS=0x00 PREC=0x00 TTL=63
> ID=49828 DF PROTO=TCP SPT=57207 DPT=3128 WINDOW=29200 RES=0x00 SYN URGP=0
>
> I wonder what did i miss? Why ppp0 traffic does not belong l2tp zone
> (IN=ppp0, but net2fw chain)?
Your tunnels entry is incorrect - it should be:

ipsec    l2tp    xxx.xxx.xxx.xxx    vpn

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to