Philipp Rusch wrote: > I see support in shorewall for the KAME-tools, how about strongswan ?
Shorewall does not have support for the KAME-tools. The Shorewall
IPSEC-2.6 documentation happens to use the KAME-tools to configure IPSEC
but there is nothing in Shorewall that is KAME-specific.
> I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my
> vpn-gateway for the subnet behind it.
>
> # Shorewall version 3.4 - Zones File
> #ZONE TYPE OPTIONS IN OUT
> # OPTIONS OPTIONS
> fw firewall
> fil ipsec mode=tunnel mss=1400
> net ipv4
> loc ipv4
> vpn1 ipv4
> vpn2 ipv4
>
> # Shorewall version 3.4 - Tunnels File
> #TYPE ZONE GATEWAY GATEWAY
> # ZONE
> openvpnserver:7777 net 0.0.0.0/0
> openvpnserver:7778 net 0.0.0.0/0
> ipsec net 212.168.178.226
>
> # Shorewall version 3.4 - Hosts file
> #ZONE HOST(S) OPTIONS
> fil eth1:192.168.246.0/24 ipsec
>
> # Shorewall version 3.4 - Interfaces File
> #ZONE INTERFACE BROADCAST OPTIONS
> net eth1 detect norfc1918,nosmurfs
> loc eth0 detect
> vpn1 tun0 (these are openvpn tunnels)
> vpn2 tun1 ...
>
> policy (for teseting only)
> # IPSec - VPN
> fil fw ACCEPT
> fw fil ACCEPT
> fil loc ACCEPT
> loc fil ACCEPT
>
>
> My problem is to reach the remote sites, from remote station to hosts on
> the LAN behind the shorewall
> there is no problem at all.
So remote sites can reach local ones but local ones can't reach remote ones?
> But how does shorewall "help" routing to recognize that those private
> IPs are to be reached through the
> ipsec tunnel ?
a) Shorewall doesn't 'help' anything. If this IPSEC setup doesn't work
without Shorewall, then it won't work with Shorewall.
b) Under kernel 2.6, IPSEC policies are totally separate from routing.
There is no transfer net like with OpenVPN where I could
> easily add routes by hand.
>
> What am I doing wrong here ?
a) Does everything work if you "shorewall clear" then run this command?
iptables -A FORWARD -j TCPMSS --set-mss 1400
If it doesn't, then the problem has nothing to do with Shorewall.
b) If everything works without Shorewall, then what are you seeing in
your Shorewall log?
c) If you can't solve the problem by looking at your log then please
follow the instructions at http://www.shorewall.net/support.htm#Guidelines.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ [EMAIL PROTECTED]
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
