From: <in...@kw...> - 2006-02-07 21:01:46
|
I=B4ve figured out the following.=20 I am able to sftp from shorewall 2.4.2 left vpn gateway x.x.x.14 (DMZ) = to shorewall 2.4.1 fw x.x.x.11 with /etc/shorewall/proxyarp x.x.x.14 eth2 eth0 No very well. That=B4s not through a tunnel (of course a ssh tunnel, but no = vpn) but with public ip x.x.x.14 to x.x.x.11 If I try to sftp through the fw to the public internet I have the same problems as mentioned before.=20 I am able to read/write my providers router config. I=B4ts a cisco and I = found mtu 1456 and encapsulation ppp. The solution still seems to be far away. I have many facts, but I = don=B4t know where they have to fit.=20 My dmz host doesn=B4t like talking to the internet. Talking to fw and to = local works very well.=20 I will go on trying and changing mtu, mss and some other things.=20 If there is any idea left, please let me know. Thanks in anvance. =20 Cheers Mike -----Urspr=FCngliche Nachricht----- Von: in...@kw... [mailto:in...@kw...]=20 Gesendet: Dienstag, 7. Februar 2006 21:18 An: 'sho...@li...' Betreff: AW: AW: WG: [Shorewall-users] proxyarp <--> OpenSwan = VPN/Internet Shorewall 2.4.2 on left vpn gate with ip x.x.x.14 Shorewall 2.4.1 on right gate with ip y.y.y.212 Shorewall 2.4.1 on fw with ip x.x.x.11 and /etc/shorewall/proxyarp = x.x.x.14 eth2 eth0 No I don=B4t know any IPSEC settings in /etc/shorewall/sohrewall.conf. I = only know about /etc/shorewall/ipsec and tried out many things like this. vpn yes mode=3Dtunnel mss=3D1300(1400/1500) mss=3D1300(1400/1500) At this point I don=B4t think that it has anything to do with /etc/shorewall/ipsec, openswan or anything from the vpn. The troubles = are always present if I start transfer jobs from x.x.x.14 (through the = tunnel and through the public internet) which is configured in /etc/shorewall/proxyarp in another box with ip x.x.x.11. x.x.x.11 is the = one which is connected to my sdsl provider.=20 Cheers Mike -----Urspr=FCngliche Nachricht----- Von: sho...@li... [mailto:sho...@li...] Im Auftrag von Tom Eastep Gesendet: Dienstag, 7. Februar 2006 16:13 An: sho...@li... Betreff: Re: AW: WG: [Shorewall-users] proxyarp <--> OpenSwan = VPN/Internet On Tuesday 07 February 2006 07:01, in...@kw... wrote: > I=B4ve tried to play with mss values in /et c/shorewall/ipsec > > vpn yes mode=3Dtunnel = mss=3D1400(1500,1384,1416,1452,1344) Which version of Shorewall are you running and what is your setting for=20 IPSECFILE (if any) in /etc/shorewall/shorewall.conf? > > After all I decided to leave /etc/shorewall/ipsec empty. Further the > problem seems to be out of the tunnel, too. I think ipsec file won=B4t = help > with issues out of the ipsec tunnel. > That's exactly what it's for! -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log = files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=3Dk&kid=103432&bid#0486&dat=121642 _______________________________________________ Shorewall-users mailing list Sho...@li... https://lists.sourceforge.net/lists/listinfo/shorewall-users |