Thanks a lot, Tom. - The 2 subnet-subnet tunnels work perfectly following your instructions.
- Now if I would like to add a road-warrior, could I just expand your instructions further as follow? In /etc/shorewall/zones I have vpn VPN VPN local-network vpn2 VPN2 VPN dmz-network vpnRW VPNRW VPN for Road Warrior In /etc/shorewall/tunnels ipsec net 0.0.0.0/0 vpn,vpn2,vpnRW In /etc/shorewall/interfaces - ipsec0 and /etc/shorewall/hosts vpn ipsec0:<his-local-subnet> vpn2 ipsec0:<his-dmz-subnet> vpnRW ipsec0:0.0.0.0/0 and allow vpnRW and my-local to access each other in /etc/shorewall/policy vpnRW loc ACCEPT loc vpnRW ACCEPT ----- Original Message ----- From: "Tom Eastep" <[EMAIL PROTECTED]> To: "M Lu" <[EMAIL PROTECTED]> Cc: "LEAF user list" <[EMAIL PROTECTED]> Sent: Tuesday, May 27, 2003 2:51 PM Subject: Re: [leaf-user] VPN local to remote-dmz > On Tue, 27 May 2003 14:28:06 -0700, M Lu <[EMAIL PROTECTED]> wrote: > > > Thank you Tom, > > > > It seems straigforward to add another connection (my-local - his-dmz) in > > 'ipsec.conf' but I do not know how to add another zone and associate it > > in > > '/etc/shorewall/interfaces'. Say I have second zone in > > '/etc/shorewall/zones' > > > > vpn VPN VPN local-network > > vpn2 VPN2 VPN dmz-network > > > > and in '/etc/shorewall/tunnels' I have > > > > ipsec net remote-IP vpn,vpn2 > > > > How do I represent them in '/etc/shorewall/interfaces' so that I can > > later > > have policy to allow 'vpn2' to 'dmz', but not the other way. > > /etc/shorewall/interfaces: > > - ipsec0 > > /etc/shorewall/hosts: > > vpn ipsec0:<his-local-subnet> > vpn2 ipsec0:<his-dmz-subnet> > > > > > Also, is it possible for me to add Road Warrior (again I need to access > > local and dmz) and they coexist with the permanent subnet-subnet? In that > > case, how does Shorewall know which zone is permanent and which zone will > > be > > up and down? > > > > I have absolutly no clue what question you just asked... > > -Tom > -- > Tom Eastep \ Shorewall - iptables made easy > Shoreline, \ http://www.shorewall.net > Washington USA \ [EMAIL PROTECTED] > > > > ------------------------------------------------------- > This SF.net email is sponsored by: ObjectStore. > If flattening out C++ or Java code to make your application fit in a > relational database is painful, don't do it! Check out ObjectStore. > Now part of Progress Software. http://www.objectstore.net/sourceforge > ------------------------------------------------------------------------ > leaf-user mailing list: [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html > ------------------------------------------------------- This SF.net email is sponsored by: eBay Get office equipment for less on eBay! http://adfarm.mediaplex.com/ad/ck/711-11697-6916-5 ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
