Re: [Shorewall-users] IPSec Tunneling

Fri, 15 Dec 2017 13:00:06 -0800 

>> DNAT { SOURCE=net, DEST=apps:172.20.2.44, PROTO=udp,
>> DPORT=500,4500, ORIGDEST=$IPSEC_IP }
>
> Tom, on this line, is IPSEC_IP something I must set?
>
> If so, would this be the router's outside IP?  Could I do a command 
> substitution like $(curl ipinfo.io/ip) ?

PS - Here's what I've cooked up for the ipsec.d/ipsec-local.conf files.  No 
idea if they work, but hopefully will today:

Laptop:

# Debug: A  comma  separated list, e.g: dmn 3, ike 1, net -1.
# Acceptable values for types are dmn, mgr, ike, chd,  job,  cfg, knl,
#       net,  asn, enc, lib, esp, tls, tnc, imc, imv, pts
#       and the level is one of -1, 0, 1, 2, 3, 4
#charondebug = <debug list>
#charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyexchange=ikev2
        # https://lists.strongswan.org/pipermail/users/2015-April/007809.html
        ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384!
        esp=aes128gcm16-ntru256,aes256gcm16-ntru384!
        dpdaction=restart

conn vpn
        left=%any
        leftcert=quantumcert.pem
        leftsourceip=%config

        right=192.168.1.2
        rightsubnet=192.168.1.0/24,10.0.0.0/24

        auto=start

Left ipsec gateway (in LAN, beyond the router)

# Debug: A  comma  separated list, e.g: dmn 3, ike 1, net -1.
# Acceptable values for types are dmn, mgr, ike, chd,  job,  cfg, knl,
#       net,  asn, enc, lib, esp, tls, tnc, imc, imv, pts
#       and the level is one of -1, 0, 1, 2, 3, 4
#charondebug = <debug list>
#charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyexchange=ikev2
        # https://lists.strongswan.org/pipermail/users/2015-April/007809.html
        ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384!
        esp=aes128gcm16-ntru256,aes256gcm16-ntru384!
        dpdaction=clear

conn vpn
        left=192.168.1.13
        leftcert=quantumcert.pem
        leftsendcert=always
        leftsubnet=192.168.1.0/24,10.0.0.0/24

        right=%any
        rightsourceip=192.168.1.2/32
        rightdns=192.168.1.1

        auto=add
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to