'Re: [leaf-user] Shorewall zones file'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       leaf-user
Subject:    Re: [leaf-user] Shorewall zones file
From:       "Tibbs, Richard" <rwtibbs () RADFORD ! EDU>
Date:       2007-10-19 20:50:47
Message-ID: 426F5AA470AD1843B414094AAEB79534043CAA34 () exchange03
[Download RAW message or body]

Hi Charles.
I will try udp:500 now.
But net to office firewall net:192.168.10.0 should work I hope.

Later.
Rick

-----Original Message-----
From: Charles Steinkuehler [mailto:charles@steinkuehler.net] 
Sent: Friday, October 19, 2007 4:45 PM
To: Tibbs, Richard
Cc: leaf-user
Subject: Re: [leaf-user] Shorewall zones file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tibbs, Richard wrote:
> OK, 
> I tried looking at rules file, trying
> ACCEPT loc:192.168.10.0/24 net udp 50
> 
> I saw a message scroll by 
> " ... not defined in "udp 50" zone file..."
> 
> Any idea what that means?

Not without more detail...

It seems like you're trying to get IPSec running through the firewall,
but I'm not sure how.  Is an internal system trying to connect to a
remote system, or are you trying to bring up a tunnel from the firewall
itself?

In general, you need to deal with one (or more) of the following to get
IPSec working:

  Protocol[:Port]
  udp:500
  udp:4500
  50
  51

Protocols 50 and 51 are for IPSec, and may or may not work through a
masquerading firewall (it depends on the tunnel settings and firewall
configuration).  The initial exchange is through UDP port 500, which is
typically used in all IPSec tunnels for key exchange, and sometimes for
all traffic when the "nat-friendly" mode (NAT-T) is enabled (port 4500
is also commonly used for NAT-T).

- --
Charles Steinkuehler
charles@steinkuehler.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHGRddLywbqEHdNFwRAsxGAKC1WFUI/AeiS0Jb1FjgjYOpvGU63ACg94rw
BsET8O5ZojTkdDBFmp1zZnQ=
=YT0Q
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/

------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic