[Openswan Users] OpenSWAN behind shorewall -- keep getting ESP protocol denied at firewall

Brett Curtis dashnu.mutt at gmail.com
Tue Feb 6 16:33:11 EST 2007 

I use standalone iptables so not exactly sure what is going on here.

What if you mark port 500 4500 and proto 50 then allow the mark in? 

the iptables rules would look like this.

$IPT -t mangle -A PREROUTING -i $EXTIF -p 50 -j MARK --set-mark 3
$IPT -t mangle -A PREROUTING -i $EXTIF -p udp --dport 500 -j MARK --set-mark 2
$IPT -t mangle -A PREROUTING -i $EXTIF -p udp --dport 4500 -j MARK --set-mark 1

then dnat the marks?

I would assume you also already have an established,related chain..

If that doesn't work maybe the shorewall list would better serve you.

On 13:18 Tue 06 Feb     , Brian Neu wrote:
> Yes, and it works --- then it stops working and suddenly the firewall starts rejecting the proto 50 for no apparent reason.
> 
> Could something be changing with ip_conntrack that would stop this from working?
> 
> 
> Brett Curtis <dashnu.mutt at gmail.com> wrote: Port 500, 4500 udp & proto 50 should all be in your prerouting table dnatting
> at the ip of you openswan machine.
> 
> Is this already the case?
> 
> -b
> 
> On 10:17 Tue 06 Feb     , Brian Neu wrote:
> > I'm supporting some Linksys BEFVP41 routers connecting back to an Openswan server.  
> > 
> > The server DID have a real IP, but had to be moved behind a Shorewall firewall with NAT.
> > 
> > Now the Linksys clients can actually connect, but then after unknown even, stops working and the Shorewall firewall suddenly starts producing "REJECT" logs on protocol ESP at the external IP address, even though I have ESP DNAT'd to the Openswan server.  For the moments that the setup is working, the ESP REJECTS aren't happening.  Then suddently, the connections fail and the msg's start coming.
> > 
> > I have posted to shorewall-users, and Tom is helping me out, but I wanted to see if anyone has a clue on this.  I just don't understand the protocols well enough to troubleshoot it and I'm under the gun to get a quick fix.
> > 
> > Thanks.
> > 
> 
> > _______________________________________________
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> > Building and Integrating Virtual Private Networks with Openswan: 
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> 
> 
> -- 
> 
> Created with VIM & mutt.
> 
> If you've done six impossible things before breakfast, why not round it
> off with dinner at Milliway's, the restaurant at the end of the universe?
>   -- Douglas Adams, "The Restaurant at the End of the Universe"
> 
> 

-- 

Created with VIM & mutt.

Don't vote -- it only encourages them!

More information about the Users mailing list