No subject
Tue Apr 12 22:17:57 BST 2005
10.1.1.116)
However I can't ping 10.1.1.2 from 10.1.1.116 (correct, blocked by shorewall)
or from 10.4.1.1 (wrong).
The difference is that when I ping from 10.1.1.116 I get shorewall errors
logged which I would expect, but when I ping from 10.4.1.1 I don't get any
shorewall messages logged. This is the only indication that it may not be a
Shorewall problem, but I can't see what else it could be.
Gary
On Monday 23 Aug 2004 12:14 pm, Jim Jackson wrote:
> Gary,
>
> I'm not familiar with OpenVPN - does it use PPP over a tunnel to provide
> the VPN? If so what are your PPP settings?
>
> If your home machine is provided with an IP address on your work lan, the
> VPN server must proxy arp for that IP address, otherwise, things on the
> network won't know where to send their reply packets.
>
> Jim
>
> On Fri, 20 Aug 2004, Gary Stainburn wrote:
> > Hi folks.
> >
> > I'm setting up a VPN from home to work using OpenVPN from my laptop to a
> > machine already set up at work using shorewall to control access.
> >
> > OpenVPN tool minutes to download/build/install and minutes to configure.
> > Everything's tickey boo there (I think). From each end I can ping the
> > remote end of the VPN and the machine hosting it (VPN IP and host IP).
> >
> > However, I can't get in past the machine at work into the work network.
> > I asume that this is a shorewall problem but I can't see what else I need
> > to do. I've included config file extracts below.
> >
> > Anyong got a clue?
> >
> > interfaces
> > ~~~~~~~~
> > loc eth0 detect
> > dmz eth1 detect
> > vpn tun0
> > net eth2 detect norfc1918,routefilter
> >
> > Policy
> > ~~~~~~
> > loc net ACCEPT
> > dmz net ACCEPT
> > loc dmz ACCEPT
> > fw net ACCEPT
> > vpn loc ACCEPT
> > loc vpn ACCEPT
> > vpn fw ACCEPT
> > fw vpn ACCEPT
> > net all DROP info
> > all all REJECT info
> >
> > masq
> > ~~~~
> > eth2 eth0
> >
> > tunnels
> > ~~~~~~
> > openvpn net 80.229.164.202
> >
> > zones
> > ~~~~~
> > net Net Internet
> > loc Local Local networks
> > dmz DMZ Demilitarized zone
> > vpn VPN VPN
> >
> > shorewall.conf
> > ~~~~~~~~~~~~
> > LOGFILE=/var/log/messages
> > LOGFORMAT="Shorewall:%s:%s:"
> > LOGRATE=
> > LOGBURST=
> > BLACKLIST_LOGLEVEL=
> > LOGNEWNOTSYN=info
> > MACLIST_LOG_LEVEL=info
> > TCP_FLAGS_LOG_LEVEL=info
> > RFC1918_LOG_LEVEL=info
> > SMURF_LOG_LEVEL=info
> > BOGON_LOG_LEVEL=info
> > PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
> > SHOREWALL_SHELL=/bin/sh
> > SUBSYSLOCK=/var/lock/subsys/shorewall
> > STATEDIR=/var/lib/shorewall
> > MODULESDIR=
> > FW=fw
> > IP_FORWARDING=On
> > ADD_IP_ALIASES=Yes
> > ADD_SNAT_ALIASES=No
> > TC_ENABLED=No
> > CLEAR_TC=Yes
> > MARK_IN_FORWARD_CHAIN=No
> > CLAMPMSS=No
> > ROUTE_FILTER=No
> > DETECT_DNAT_IPADDRS=No
> > MUTEX_TIMEOUT=60
> > NEWNOTSYN=Yes
> > ADMINISABSENTMINDED=Yes
> > BLACKLISTNEWONLY=Yes
> > MODULE_SUFFIX=
> > BRIDGING=No
> > BLACKLIST_DISPOSITION=DROP
> > MACLIST_DISPOSITION=REJECT
> > TCP_FLAGS_DISPOSITION=DROP
> >
> > --
> > Gary Stainburn
> >
> > This email does not contain private or confidential material as it
> > may be snooped on by interested government parties for unknown
> > and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
> >
> >
> > _______________________________________________
> > Wylug-help mailing list
> > Wylug-help at wylug.org.uk
> > http://list.wylug.org.uk/mailman/listinfo/wylug-help
--
Gary Stainburn
This email does not contain private or confidential material as it
may be snooped on by interested government parties for unknown
and undisclosed purposes - Regulation of Investigatory Powers Act, 2000
More information about the Wylug-help
mailing list