On March 29, 2018 5:02 PM, Tom Eastep <teas...@shorewall.net> wrote: > > > > ... I believe this is right when unknown IPs can come in through VPN? > > You should be assigning the remote IP address via the xxxxsourceip > > (xxxx=right or left) setting in ipsec.conf.
I can't because the remote initiator could be any one of several devices, which all have dynamic IPs. I'm setting up so that there is no distinction between remote and LAN members, which means I need to move from static IPs to DHCP, for VPN, which I'm doing anyway for the LAN in a transition to IPV6. (for the sake of all that's holy). Also I can't because I'm using the new swanctl methodology which dispenses with ipsec.conf, ipsec.secrets, etc. There are about a thousand things that can go wrong and docs are chaotic, but I just about have it sussed out. > > But nm I seem to have fixed it. In zones I did have mode=transport when I'm > > now using tunnel. I can ping now. > > That would explain the failure you were seeing. Good to know, thanks ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
