[leaf-user] IPSec tunnel

[Mathieu Gauthier-Pilote]

Hello,

I have setup an IPSec vpn for our office network. Our firewall is a Debian Woody box with shorewall 1.2. It shares our DSL connection. Following the documentation, I have enabled a roadwarrior type tunnel like this:

# TYPE ZONE GATEWAY GATEWAY ZONE
ipsec net 0.0.0.0/0 vpn

It works fine for actual standalone machines. However, one client machine we have is behind a home NAT gateway with a 192.168.0.0/24 subnet behind it. It's IP is 192.168.0.51 We are having problems with this one machine but not with other roadwarriors. I am pretty sure that my ipsec.conf config is fine because I have done this before. pluto knows what to do to enable this tunnel.

The exact problem with this one Win2k box is that the firewall drops packets arriving on UDP port 500. Do I need to setup the tunnel differently with Shorewall? I guess I could just apply global rules to let all IPSec traffic in, but I am curious to know if there is a handy way to do it with the /etc/shorewall/tunnels file. There is one line in the doc that confuses me (I am not a native English speaker):

"Note that the GATEWAY ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system."

I my case, I think that the gateway system doesn't comprise the peer subnetwork, right?

Thank you in advance for enlightening me.

Best Regards,

--
Mathieu G.-P.
[EMAIL PROTECTED]

1-877-8KUTOKA
Weekdays 9AM - 5PM Eastern Time
En semaine 9h00 - 17h00 Heure de l'Est



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html