Quoting [EMAIL PROTECTED]: > Quoting [EMAIL PROTECTED]: > >> Quoting Tom Eastep <[EMAIL PROTECTED]>: >> >>> lists wrote: >>> >>>> So, I've allowed traffic from $FW to vpn and from vpn to $FW. Having >>>> looked at the documentation at www.shorewall.net that seems to be all I >>>> need to do. I can't help thinking I must have missed something really >>>> obvious but if I have I can't spot it. I've not updated any rules to >>>> allow specific types of traffic to/from the router. I understood that >>>> the policy should allow everything to/from the router to the vpn zone. >>>> Is that correct? >>>> >>> >>> This problem usually results from mis-configuration of IPSEC and >>> has nothing >>> to do with Shorewall. Does it work if you "shorewall clear" to remove >>> Shorewall from the picture? >> >> Yes, the problem still occurs after invoking "shorewall clear". I >> should have thought to try that myself. Thanks for the suggestion. >> >> I'll dig further into the ipsec config docs. >> > > A follow up post to help anyone in the future searching the archives: > > I've since found that I can ping remote hosts on the VPN from my local > router if I force the ping to use the internal NIC. So, "ping > 192.168.1.1 -I eth0" works but "ping 192.168.1.1" doesn't (eth0 is my > internal NIC, eth2 is my external NIC.) > > I've tried updating my routing table to force requests for the remote > LAN to be sent via eth0 instead of eth2 but this seems to kill the VPN > entirely. > > The routing table looks like this: > > 1.2.3.0/24 dev eth2 proto kernel scope link src 1.2.3.4 > 10.0.0.0/24 dev eth2 proto kernel scope link src 10.0.0.1 > 192.168.1.0/24 via 1.2.3.1 dev eth2 > 192.168.0.0/24 dev eth0 proto kernel scope link src 192.168.0.1 > 169.254.0.0/16 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > default via 1.2.3.1 dev eth2 > > Where: > 1.2.3.4 is my public IP > 1.2.3.1 is my ISP router at the other end of my ADSL line > 192.168.0.0/24 is the local LAN > 192.168.1.0/24 is the remote LAN > eth0 is the internal interface > eth2 is the external interface > > > It seems that I need to force all packets that originate on the local > router that are destined for the remote LAN to be sent via the > internal NIC. Firstly, is this something that's possible using > shorewall? Secondly, is it a sensible approach to solving the problem? > >
I tried to implement the rule described in the above paragraph using a REDIRECT rule but found that I always seemed to need to specify a port. I then tried a DNAT rule and succeeded in getting pings to the remote LAN (192.168.1.1) to be sent to the internal NIC but that simply resulted in pings to the remote LAN from the router being answered by the local NIC. That's nearly what I want but seems to be rewriting the destination rather than rewriting the source. I then thought that I'd need to use an SNAT rule but the netmap file doesn't allow me to specify source rewriting only for packets that originate on the router and are destined for the remote LAN. I want to leave packets that originate on the local LAN as they are since that part of the VPN works. Does anyone have any suggestions on how to implement the source rewriting rule? Thanks, Steve. ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
