OK. I've got testlab installed in GNS for testing purposes, with 2 dumb vpcs to emulate local networks, 2 virtualbox VMs with debian 8, shorewall and strongswan: VPC1 (10.1.1.100) --- (10.1.1.1) Router1 (10.100.0.1) --- (switch) --- (10.100.0.2) Router2 (10.1.2.1) --- (10.1.2.100) VPC2 All networks are /24. Routers configs are similar except IP addresses. I've got identical behavior with virtual setup as with physical: - ipcomp turned off, packets go throu - ipcomp turned on, packets rejected Here is shorewall dump from virtual Router1 with suggested ipip tunnel option, packets still rejected, along with shorewall's ipsec.conf. Thank you for your time and patience.
2016-12-08 3:27 GMT+03:00 Tom Eastep <teas...@shorewall.net>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 12/07/2016 02:43 AM, John Depp wrote: > > Ok, i've done some reconfiguration and testing. > > > > 1. I don't know how to make ipcomp work. - Suggeted tunnels line > > doesn't work, as I have to allow traffic from net, not from vpn > > zone > > Not according to the log message in your original post. That log > message indicated that the message source was in *NONE* of your zones. > > As I indicated in an earlier post, the fastest way for me to solve > this for you is to see the (unaltered) output of 'shorewall dump' with > the tunnel entry that Tuomo suggested to you. > > - -Tom > > - -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJYSKjdAAoJEJbms/JCOk0QSNYQALJ9n5KOPeGr99INgFNKB7CU > L4qW/nQ2HHvlOfbjD/XNPtosP4JGQp/kChhu32m/2qyyRdV3qZVbLBIRMYQYmCV2 > k57Yep+cX9VbgdDv4GyLFLnCwPkdmui7d0fkMoxhE4ibOBwIuue4vJhbdbMMz4Yd > NgxIbVLMjuAIiEiXkgP1ercwbQHoPwh7ue3kh/g902mRtdJMUfE49jD1R/5u99Q+ > UBClIOJOux/PMRrRq5iIuANpH3vmgKDB5MLc4rEMEI4Qm2Uv+TwhPY7NSqJ7XXDz > l/3BgQ5+EVY9BGlu8r0tR0mKCuarSIhz3Rd2O1jdNpBk1W+NnaZ9qKvhw26dS+Y8 > /Gj4Iw5VJP6n9Qzb55dnaynssdBpJnRQlAcm3YEONom654tX0UzCcQJx7MNsOhal > tuGkQacUAhssjHM3TseO+kSSBWqYuMp2Huvh6CzMBLOloRS0j+EC8dPPH4VHihf2 > XY4pIC99vtJdjvAA72V/ga19G93LzsW6AFP/AQCej3urjmyMsogeBNOqmJqPTgrb > 4Oup7D2WL3QFnqxJBzZ3SOZpwvIppfM1IPL66HiSm75IM7igY/xfdURfpBjTfyK7 > G5BsNP2S/j1k7X/hEWHMIuFbZ4wuQAhjkVZ2M/LkFtJbh0sWr9T6u99HirxA1372 > haiDkkDhju7ZwtesWwHR > =YDH+ > -----END PGP SIGNATURE----- > > ------------------------------------------------------------ > ------------------ > Developer Access Program for Intel Xeon Phi Processors > Access to Intel Xeon Phi processor-based developer platforms. > With one year of Intel Parallel Studio XE. > Training and support from Colfax. > Order your platform today.http://sdm.link/xeonphi > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >
ipsec.conf
Description: Binary data
shore_dump3
Description: Binary data
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
