Tom Eastep schrieb:
Philipp Rusch wrote:
I see support in shorewall for the KAME-tools, how about strongswan ?
Shorewall does not have support for the KAME-tools. The Shorewall
IPSEC-2.6 documentation happens to use the KAME-tools to configure IPSEC
but there is nothing in Shorewall that is KAME-specific.
I have setup shorewall 3.4.4 and strongswan 4.1.3, making this my
vpn-gateway for the subnet behind it.
# Shorewall version 3.4 - Zones File
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
fil ipsec mode=tunnel mss=1400
net ipv4
loc ipv4
vpn1 ipv4
vpn2 ipv4
# Shorewall version 3.4 - Tunnels File
#TYPE ZONE GATEWAY GATEWAY
# ZONE
openvpnserver:7777 net 0.0.0.0/0
openvpnserver:7778 net 0.0.0.0/0
ipsec net 212.168.178.226
# Shorewall version 3.4 - Hosts file
#ZONE HOST(S) OPTIONS
fil eth1:192.168.246.0/24 ipsec
# Shorewall version 3.4 - Interfaces File
#ZONE INTERFACE BROADCAST OPTIONS
net eth1 detect norfc1918,nosmurfs
loc eth0 detect
vpn1 tun0 (these are openvpn tunnels)
vpn2 tun1 ...
policy (for teseting only)
# IPSec - VPN
fil fw ACCEPT
fw fil ACCEPT
fil loc ACCEPT
loc fil ACCEPT
My problem is to reach the remote sites, from remote station to hosts on
the LAN behind the shorewall
there is no problem at all.
So remote sites can reach local ones but local ones can't reach remote ones?
YES, exactly - and in addition, I have major problems to connect to the
fw itself (e.g. with PUTTY)
from remote and then start mc or YAST from the TTY-screen, which
produces some traffic, then
this session hangs.
But how does shorewall "help" routing to recognize that those private
IPs are to be reached through the
ipsec tunnel ?
a) Shorewall doesn't 'help' anything. If this IPSEC setup doesn't work
without Shorewall, then it won't work with Shorewall.
b) Under kernel 2.6, IPSEC policies are totally separate from routing.
There is no transfer net like with OpenVPN where I could
easily add routes by hand.
What am I doing wrong here ?
a) Does everything work if you "shorewall clear" then run this command?
iptables -A FORWARD -j TCPMSS --set-mss 1400
If it doesn't, then the problem has nothing to do with Shorewall.
I will try this tomorrow, it's late at night here.
b) If everything works without Shorewall, then what are you seeing in
your Shorewall log?
If I ping or traceroute to a remote private ip address it goes to the
all2all queue which means
to me that shorewall is not setup correctly for those tunnels.
c) If you can't solve the problem by looking at your log then please
follow the instructions at http://www.shorewall.net/support.htm#Guidelines.
OK - I will do this tomorrow.
Thanks for your time, Tom !
-Tom
------------------------------------------------------------------------
Regards, Philipp
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
