I am doing this because I was not authorized to create a vpn server on the
main firewall because it is a client remote server 5000km from where my
company is. If something happens on this server, our support could cost at
least one day to get there. This would shutdown our electronic ticketing
system communication.
The configuration would be much more simpler with openswan running on main
firewall.
I will test this connections and try post the logs here.
Thanks for your help!
João
2009/6/10 Tom Eastep <teas...@shorewall.net>
> João Kuchnier wrote:
> >
> > 2009/6/10 Tom Eastep <teas...@shorewall.net <mailto:
> teas...@shorewall.net>>
> >
> > João Kuchnier wrote:
> > > Tom,
> > >
> > > Thanks for your help. I manage do configure IPSec connection
> through
> > > firewall using the rules specified at
> http://www.shorewall.net/VPN.htm
> > > with nat transversal.
> > >
> > > Now, my only problem is using shorewall on the VPN Server. The
> rules I
> > > mentioned before are correct?
> > >
> > > RULES
> > > DNAT all net:192.168.1.xxx udp 2000
> > > DNAT all net:192.168.1.xxx udp 2010
> > > DNAT all net:192.168.1.xxx tcp 2004
> > >
> > > I need to nat specific packages coming from VPN connection to
> another
> > > two servers. This servers needs to respond this packages using the
> > ipsec
> > > tunnel.
> >
> > I'm sorry but I'm completely confused about what you are trying to
> do.
> > So I can't say whether those rules are correct or not.
> >
> >
> > --> Sorry, I will try to explain better...
> >
> >
> >
> > It looks to me like you are trying to use routing/DNAT to 'help'
> IPSEC
> > where IPSEC could probably do what you want by itself. It strikes me
> > that 192.168.1.xxx will probably send its responses to the redirected
> > requests back through your main firewall rather than through the VPN
> > server which, of course, won't work.
> >
> >
> > --> Yes, something like this. The firewall running on the openswan
> > server (only one interface), besides accepting every conection, will nat
> > three types of connections to two different servers. On this two
> > servers, I created two routes for them to respond vpn incoming packages.
> > The gateway of this rules are directed to the openswan server.
> >
> > Routes on one of the other servers on dmz...
> > 192.168.102.0 192.168.1.224 255.255.255.0 UG 0 0 0
> eth2
> > 10.201.136.0 192.168.1.224 255.255.248.0 UG 0 0 0
> eth2
> >
> > Do you think the request response can get through vpn connection?
>
> I don't know. I still don't understand why you have this complicated
> configuration with multiple tunnels and DNAT on two different systems.
> There has to be a better way, but none of us reading this thread can
> figure out what it is you are really trying to accomplish.
>
> So I can only advise you to try the connection and see what happens.
>
> -Tom
> --
> Tom Eastep \ When I die, I want to go like my Grandfather who
> Shoreline, \ died peacefully in his sleep. Not screaming like
> Washington, USA \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
> ------------------------------------------------------------------------------
> Crystal Reports - New Free Runtime and 30 Day Trial
> Check out the new simplified licensing option that enables unlimited
> royalty-free distribution of the report engine for externally facing
> server and web deployment.
> http://p.sf.net/sfu/businessobjects
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
