Hey I think I managed to figure out my issue. I included the masa, removed the DNAT entries from the rules list and then determined that internal + external worked at the IP level. The remaining issue was DNS based so I pointed the dns servers in the config files to point to the internal one first. That seems to have solved my issue. I am not sure if its the most optimal solution or not, but I got something working.
Sorry for the noise. Brandon Slack On 2012-10-24, at 11:17 AM, Brandon Slack <[email protected]> wrote: > Hey > > First, apologies if this went out twice. I sent the original email from an > odd email configuration (essentially from an alias of what I signed up as). I > searched and noticed that my post did not appear and I did not get a bounce > back so I was confused. I waited a few days before resending. So apologies if > this goes out twice. I am not trying to spam. > > I was hoping someone could help me with L2TP/IPSEC routing issues. I have a > fairly typical setup in which I have a server with eth0 (local traffic) and > eth1 (external/internet traffic). I also have a VPN with OpenSwan/xl2tpd/ppp. > I want users that log into the system to be able to use both eth0 and eth1. > E.g. local internal sites are available, as is the internet. Thus far, my > success has been either granting access to the local intranet, or the > external internet, but not actually both at the same time. Could someone help > give me some guidance. I have read the docs and previous mailing lists that I > could find on this first. Below is my configuration, and I have attached the > shorewall dump. > > The below configuration allows users to access the local intranet. To enable > external internet access, I add a 'masq' file as seen below and two DNAT > rules (also shown below commented out), unfortunately this kills my local > intranet access when connected so its disabled for now. Can anyone point me > in the right direction for having both internal intranet and external > internet working when connected via my L2TP VPN? > > Thanks for any hints or pointers (the dump is also attached) > > # masq > ############################################################################################# > #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ > # GROUP > #eth1 192.168.0.0/24 # uncomment for external network access > (kills internal local intranet access) - also uncomment rules for dnat > > > # HOSTS > ############################################################################### > #ZONE HOST(S) OPTIONS > vpn eth1:0.0.0.0/0 > > # Interfaces > ############################################################################### > #ZONE INTERFACE BROADCAST OPTIONS > loc eth0 detect tcpflags > net eth1 detect norfc1918,logmartians,nosmurfs,tcpflags > l2tp ppp+ detect routeback > > # Policy > ############################################################################### > #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: > # LEVEL BURST MASK > fw all ACCEPT > loc fw ACCEPT > loc net ACCEPT # policy for inbound L2TP Zone > > # policy for inbound L2TP Zone > loc l2tp ACCEPT # allows local machines to connect (good for testing > purposes) > l2tp loc ACCEPT # allows for going back to local (yay for internet when > VPN connected) > l2tp net ACCEPT debug # allow connected people to get to internet > l2tp fw ACCEPT debug > > net all DROP info > all all REJECT info > > > # Rules > #################################################################################################################################################################### > #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ > MARK CONNLIMIT TIME HEADERS > # PORT PORT(S) DEST LIMIT GROUP > #SECTION ESTABLISHED > #SECTION RELATED > #SECTION NEW > > ACCEPT net fw tcp ssh,ftp,sftp,www,https > ACCEPT loc fw tcp ssh,ftp,sftp,www,https > ACCEPT loc fw tcp 3000 > ACCEPT loc fw udp 69 > ACCEPT loc fw udp 514 > > # Prevent IPSEC bypass by hosts behind NAT Gateway > # and block 1701 to prevent tunnel from being open to internet > L2TP(REJECT) net $FW > REJECT $FW net udp - 1701 > ACCEPT vpn fw udp 1701 > ACCEPT l2tp fw tcp ssh,ftp,sftp,www,https > > # uncomment below and masa file to enable external network access > #DNAT net vpn:206.214.243.203 udp 4500 > #DNAT net vpn:206.214.243.203 udp 500 > > # Tunnels > ############################################################################### > #TYPE ZONE GATEWAY GATEWAY > # ZONE > #ipsec net 0.0.0.0/0 vpn > ipsecnat net 0.0.0.0/0 vpn > > # Zones > ############################################################################### > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > fw firewall > net ipv4 > loc ipv4 > l2tp ipv4 > vpn ipsec > > > Here are some logs with the above configuration. Traffic appears to be going > out > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820268] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=1218 DF PROTO=TCP > SPT=59275 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820280] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=6067 DF PROTO=TCP > SPT=59277 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.820292] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=74.125.142.108 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=54514 DF PROTO=TCP > SPT=59276 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.920148] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=17.172.34.90 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=27607 DF PROTO=TCP > SPT=59282 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832699.920162] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=17.172.232.114 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=37034 DF PROTO=TCP > SPT=59281 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832700.122307] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=17.172.34.34 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=55267 DF PROTO=TCP > SPT=59285 DPT=993 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX kernel: [1832700.122321] > Shorewall:l2tp2net:ACCEPT:IN=ppp0 OUT=eth1 MAC= SRC=192.168.0.230 > DST=17.172.232.188 LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=28037 DF PROTO=TCP > SPT=59284 DPT=5223 WINDOW=65535 RES=0x00 SYN URGP=0 > Oct 22 14:24:35 YYZUNIX xl2 > > > <Dump.txt> ------------------------------------------------------------------------------ The Windows 8 Center In partnership with Sourceforge Your idea - your app - 30 days. Get started! http://windows8center.sourceforge.net/ what-html-developers-need-to-know-about-coding-windows-8-metro-style-apps/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
