>> DNAT { SOURCE=net, DEST=apps:172.20.2.44, PROTO=udp,
>> DPORT=500,4500, ORIGDEST=$IPSEC_IP }
>
> Tom, on this line, is IPSEC_IP something I must set?
>
> If so, would this be the router's outside IP? Could I do a command
> substitution like $(curl ipinfo.io/ip) ?
PS - Here's what I've cooked up for the ipsec.d/ipsec-local.conf files. No
idea if they work, but hopefully will today:
Laptop:
# Debug: A comma separated list, e.g: dmn 3, ike 1, net -1.
# Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl,
# net, asn, enc, lib, esp, tls, tnc, imc, imv, pts
# and the level is one of -1, 0, 1, 2, 3, 4
#charondebug = <debug list>
#charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyexchange=ikev2
# https://lists.strongswan.org/pipermail/users/2015-April/007809.html
ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384!
esp=aes128gcm16-ntru256,aes256gcm16-ntru384!
dpdaction=restart
conn vpn
left=%any
leftcert=quantumcert.pem
leftsourceip=%config
right=192.168.1.2
rightsubnet=192.168.1.0/24,10.0.0.0/24
auto=start
Left ipsec gateway (in LAN, beyond the router)
# Debug: A comma separated list, e.g: dmn 3, ike 1, net -1.
# Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl,
# net, asn, enc, lib, esp, tls, tnc, imc, imv, pts
# and the level is one of -1, 0, 1, 2, 3, 4
#charondebug = <debug list>
#charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyexchange=ikev2
# https://lists.strongswan.org/pipermail/users/2015-April/007809.html
ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384!
esp=aes128gcm16-ntru256,aes256gcm16-ntru384!
dpdaction=clear
conn vpn
left=192.168.1.13
leftcert=quantumcert.pem
leftsendcert=always
leftsubnet=192.168.1.0/24,10.0.0.0/24
right=%any
rightsourceip=192.168.1.2/32
rightdns=192.168.1.1
auto=add
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users