-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 12/17/2016 05:51 AM, John Depp wrote: > Thank you very much for spending so much efforts to resolve my > issue. > > As I've mentioned the simplest way to avoid the problem is to turn > off ipcomp. The only drawback is the way the ipcomp could be > turned on or off in strongswan - the single option compress = > <yes|no> does the thing, so many ppl (me included) could just turn > it on for good. > > As for cleaner solution, I'd suggest removing the "policy match > dir in pol none" statement from eth0_in zone in net-fw rule - let > all packets hit the rule and then we could apply rules from > shorewall/rules for them - but of course I just don't see the > whole picture and don't know why this statement was inserted for.
As I was documenting the problem, I realized that we both had a Shorewall configuration issue. We both included only the peer's local network in our /etc/shorewall/hosts definition of the vpn1 zone. When ipcomp is used, we also need to have an entry with the peer gateway's host address in it. In my case: #ZONE HOSTS OPTIONS vpn1 eth0:172.21.1.0/24 vpn1 eth0:10.2.10.11 The OPTIONS column in vpn1's zone definition is empty. You could also choose to simply include a single entry: #ZONE HOSTS OPTIONS vpn1 eth0:0.0.0.0/0 Then use entries in the rules to differentiate between different remote networks. I will make an update to the Shorewall IPSEC documentation to make this clear. - -Tom - -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJYVY3hAAoJEJbms/JCOk0QxWsP/0sAxfPY1wFF9HdsKzwG0hfC 9xaDQ6JIh7p+OkgYNRr8YgEZTMoQKvPxeLHFN1LObnSxwPM0nhTLEYdyVaFjI69t Qqvm3sH32FcsDNDZJaEjs4AfaXP5xKCEpZIV4UK0G1lutJ94+WVq6fsasxqmoRsP ZiO+YHNKCgeFUJ2Uz+o9jjmSquPOrR7ZTE7D8t4VavsEdcNKm0nIGsc6Kiq/WHxq mDXKsRMJPz6SybIjOFwYUK/PL3DwLdDF4G+9C+/7NuXgI9QAysCWHFcXwjlsZNI2 Ls8elCLWmNJwZYfSB/7PzJ+yTxvBnWTOgkdD0vSwrLIzNLun354b9WPpWvSgxdT+ 4fKLWeDPKFq66cgj7gUKXWppcFtaS6blYxedGR9sZxUli9gaBv+pxrQ8umWNx439 nDtdJL2kscBScFYSnajBL6f5uszWceKGI0Ka1QTDnjlBMRupuzfKfCP/Zw8MtvUu JnuLNakw3tdyUQC5HPeSK/1cMa19GRTM99IRUu1BqU0EFzaTP6xmdSP0Gd63lRid Ca+oaPBQnWSkOuGKJ0oZGc8tarGQ/JyMlLU0OkddA7eFB8dQSeZ2otF1h24AT7Rb KYgYU7r2Uc5KnhuD53LTPQfRfPESqwhfXZOxai244HTVh9b8/PdKm7pKN9REKVuT BKPcwrNm6GUD1pcCiOUo =e0je -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
