hi, i try to real all kind of documentation, but still not able to setup properly my network. we've got a firewall which has: - eth1 network interface public ip address a.b.c.d - eth0 lan 172.22.80.1/24 - tun0 openvpn server's interface running on this firewall 192.168.255.1/24
at the same time on this fierwall there is an ipsec tunnel to remote gateway x.y.z.w. behind the remote rateway there are a dozens of network which are all accessed through this ipsec tunnel. we use openswan for the ipsec. the ipsec tunnel working when we try to access from the lan (172.22.80.0/24), but unfortunately the remore cisco gateway configured to only allow host from this lan to access to the remote networks. but we'd like to access from our vpn network too. so i assume i can snat/masq on the firewall from 192.168.255.0/24 to 172.22.80.1 and then it'll work. but i'm not able to make it work. ie when i try to ping from 192.168.255.1 to any remote address then the icmp packets goes out on eth1 _without_ ipsec put it into the tunnel. i read in shorewall's ipsec howto: ----------------------------------- "In /etc/shorewall/masq, traffic that will later be encrypted is exempted from MASQUERADE/SNAT using existing entries. If you want to MASQUERADE/SNAT outgoing traffic that will later be encrypted, you must include the appropriate indication in the new IPSEC column in that file." ----------------------------------- but what does it means? i put into my masq file: ----------------------------------- $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel ----------------------------------- but try many others. none of them working. what should i've to write into this file in order to be able masq all traffic from the vpn network to the remote network to my lan interface's address? thanks in advance. regards. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
