Hi everyone!

First of all, sorry about my bad English and the e-mails extension.

I need some help to implement a VPN connection using shorewall and openswan
as IPSec Tunnel.

My network map:

CLIENT VPN APPLIANCE --> +++INTERNET+++ --> FIREWALL --> OPENSWAN SERVER
(DMZ)

I have two VPN connections with two different subnets to the other end. The
two of then are correctly established.

One of my doubts is how to configure the hosts, tunnels and zones stuff
linking to the VPN server on DMZ. I have this files from now:

shorewall 1
zones:
xxx
conn1 ipv4
conn2 ipv4

tunnels:
ipsec   net     200.xxx.xxx.xxx

hosts:
conn1 eth0:192.168.102.0/24,200.xxx.xxx.xxx ipsec
conn2 eth0:10.201.136.0/21,200.xxx.xxx.xxx  ipsec

policy:
conn1 $FW   ACCEPT  info
conn2 $FW   ACCEPT  info
$FW conn1 ACCEPT  info
$FW conn2 ACCEPT  info
dmz conn1 ACCEPT  info
dmz conn2 ACCEPT  info

rules:
DNAT conn1  dmz:192.168.1.224
DNAT conn2  dmz:192.168.1.224

Are they correct?

The 192.168.1.224 is the server running Openswan (eht0 only). On this
server, I'm running another shorewall (accepting everything incoming ant
outcoming). When reaching the vpn server, I nat'ing 3 specifics ports to
another two servers on DMZ. Apparently, here is the problem. The second
subnet (10.x.x.x), and the most important one, is not comunicating properly.
I think my second firewall is not working correctly.

shorewall 2
rules:
DNAT    all     net:192.168.1.xxx       udp     xxx
DNAT    all     net:192.168.1.xxx       udp     xxx
DNAT    all     net:192.168.1.xxx       tcp     xxx

Are this rules correct? I need to implement tunels and hosts files on this
shorewall too?

Best regards,

João K.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to