Keith Edmunds wrote: > # shorewall version > 4.0.15 > > I'd like some advice, please. > > Aim: to route packets between two Shorewall systems with an OpenVPN > connection between them, and to use the public IP addresses of each system > to do so. > > Situation: I have a point to point OpenVPN between two Shorewall servers > using tun addresses 172.16.92.1 and .2. I want packets from SystemA that > are addressed to the external address of SystemB to be routed via the VPN. > > What I have done: > > DNAT all vpn:172.16.92.2 all - - $SystemB_ExtIP > > That works fine when the VPN is already established; however, it prevents > the VPN from being established in the first place (presumably because the > packets sent to establish the VPN are being DNAT'd to a currently > unavailable address). > > Maybe I'm missing something obvious, or maybe I'm going about this the > wrong way. I'd be grateful for others' ideas.
Precede that DNAT rule with: NONAT $FW net:$SystemB_ExtIP udp 1194 That of course assumes that your OpenVPN tunnel uses UDP port 1194. Beware that this setup will will essentially prevent any traffic to systemB when OpenVPN is down. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ OpenSolaris 2009.06 is a cutting edge operating system for enterprises looking to deploy the next generation of Solaris that includes the latest innovations from Sun and the OpenSource community. Download a copy and enjoy capabilities such as Networking, Storage and Virtualization. Go to: http://p.sf.net/sfu/opensolaris-get
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
