A follow-up on my ipsec/l2tp connection issues/woes/solution. I was not able to find a working setup with shorewall and zywall vpn appliance using shorewall-tunnels. However, I was able to configure a working solution using proxyarp.
Issue detail ------------------ The zywall appliance vpn logs would complain of ike 'phase 2 proposal mismatch' regardless of shorewall configuration. I see similar reports on zyxel/zywall forums with similar issues. These zywall/nat issues appear resolved in zywall firmware 4.11 and greater (my zywall is 3.30) - see http://kb.zyxel.com/KB/searchArticle!gwsViewDetail.action?articleOid=014849&lang=EN Perhaps this was the issue or my ipsec/iptables/netfilter naivety! Therefore I made the following configuration changes: ---------------- 1. On zywall appliance - <zywall wan IP> - set with external IP/mask/gateway (it was previously configured on admx zone with private rfc1918 IP) 2. On shorewall appliance: in /etc/shorewall/proxyarp added: <zywall wan IP> eth4 eth0 no yes in /etc/shorewall/rules added: ACCEPT net admx:<zywall wan IP> udp 4500 ACCEPT net admx:<zywall wan IP> udp 500 in /etc/shorewall/interfaces added: 'routeback' option to admx eth4 zone. Cheers, Chop On Thu, Sep 3, 2015 at 9:59 AM, Tom Eastep <[email protected]> wrote: > All you need is to add another entry in the tunnels file for the admx zone. > > -Tom > > On 9/2/2015 8:29 AM, Chop Wow wrote: > > Okay so maybe I am overthinking this. Would a feasible approach be: > > > > 1. Add the second external IP to as eth0:0 > > > > 2. In rules, DNAT 4500 and 500 to Zywall in admx zone: > > DNAT net admx:<Zywall IP> udp 500 - <eth0:0 IP> > > DNAT net admx:<Zywall IP> udp 4500 - <eth0:0 IP> > > > > As per http://shorewall.net/VPN.htm > > > > Thanks again > > > > On Thu, Jun 4, 2015 at 1:11 PM, Chop Wow <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi All, > > > > I have Libreswan/Xl2tpd IPSec/L2TP VPN running on the firewall > > appliance. > > As such I have the zones/interfaces/tunnel (see below) and > > standard rules associated with the VPN. > > > > A user in the admx zone has acquired a hardware stack that > > requires IPSEC/L2tp connection to connect to it. It has its own > > VPN/router. > > > > Can I define a second passthrough IPSEC tunnel to the user > > hardware and not affect my existing VPN on the Shorewall appliance? > > > > Thanks, > > > > ~Chop > > > > > > > > Shorewall version: 4.5.16.1 > > > > interfaces > > ------------ > > net eth0 > > dhcp,tcpflags,nosmurfs,routefilter,sourceroute=0,blacklist > > loc eth1 tcpflags,nosmurfs,routefilter > > l2tp ppp+ > > cpp eth2 tcpflags,nosmurfs > > dc1 eth3 tcpflags,nosmurfs > > admx eth4 tcpflags,nosmurfs > > ovpn tun+ > > > > zones > > ------------- > > fw firewall > > net ipv4 > > vpn ipsec > > l2tp ipv4 > > loc ipv4 > > cpp ipv4 > > dc1 ipv4 > > admx ipv4 > > ovpn ipv4 > > > > tunnel > > ------------ > > ipsec net 0.0.0.0/0 <http://0.0.0.0/0> vpn > > openvpnserver:tcp:443 net 0.0.0.0/0 <http://0.0.0.0/0> > > > > > > > > > > > ------------------------------------------------------------------------------ > > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > > Get real-time metrics from all of your servers, apps and tools > > in one place. > > SourceForge users - Click here to start your Free Trial of Datadog now! > > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > > > > > > _______________________________________________ > > Shorewall-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > > ------------------------------------------------------------------------------ > Monitor Your Dynamic Infrastructure at Any Scale With Datadog! > Get real-time metrics from all of your servers, apps and tools > in one place. > SourceForge users - Click here to start your Free Trial of Datadog now! > http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 > _______________________________________________ > Shorewall-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
