On 12/14/2017 02:50 PM, Tom Eastep wrote:
> On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote:
>> I have a VM which is the LAN router, and another VM in the LAN which
>> is the ipsec gateway. (strongswan)
>>
>> I'm not fully understanding the guide here;
>> http://www.shorewall.net/IPSEC-2.6.html
>>
>>
>>
>> - Does this still apply to kernel 4.*? There isn't a
>> http://www.shorewall.net/IPSEC.html
>> <http://www.shorewall.net/IPSEC-2.6.html>
>>
>> - It doesn't say to set up DNAT on the router. How does the router
>> know where the ipsec gateway is?
>>
>> - On the laptop, tunnels should be set as: ipsec net 206.162.148.9
>> vpn. But what is that IP? The dynamic IP of the laptop, or the
>> outside interface of the remote router?
>>
>> - If the latter, is there a way in the laptop's tunnels to, instead of
>> an explicit IP, do a DNS request, to get that remote IP?
>>
>> - Wouldn't I need to set up DNAT in and SNAT out for ports 500 and 4500?
>>
>> - How do I enable protocols 50 & 51? Would that be on one or both ports?
>>
> There is no Shorewall document that describes configuring the local
> responding endpoint on a system behind the Shorewall hosts. Such a
> configuration is of very limited utility, since it only allows remote
> access to the local endpoint host, and not to any other local host
> (including the Shorewall host). So the IPSEC-2.6 document only covers
> the case where the Shorewall host is the local responding endpoint.
>
> If you really want to configure a host behind the firewall as your
> local responding endpoint, then you must:
>
> a) Configure IPSEC to use Nat Traversal.
> b) DNAT UDP 500 and 4500 to the local endpoint host.
>
> You don't need to worry about the other protocols, as they will
> be encapsulated within UDP port 4500 packets.
>
> -Tom
Thanks. The reason I have this structure in mind is, if ipsec is
compromised, I want the ne'er-do-well to end up in a benign VM, -not-
the router.
You're saying though if I do it this way, then the remote laptop can not
access machines on the LAN other than the gateway? Surely there's an
ipsec setting.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
