On 01/09/2018 04:22 PM, Colony.three via Shorewall-users wrote: > We have LAN, made up of a number of KVM virtual machines, one of which > is the router for the WAN and another is the IPSec gateway. (Libreswan) > > I have DNAT working fine from the (internal) IPSec gateway through the > router to my phone and back. A while ago Tom gave me an iptables > command to allow the phone access to the rest of the LAN. But it > doesn't work in the reverse, and it may not be the Shorewall way to do > traffic in both directions, although I have no evidence of this. > > So there exists the LAN, remote phones, remote laptops, and a remote > mail server. We'd like all to communicate democratically using > Libreswan, each with their own auth credentials. The Libreswan part is > no problem, but I can't figure out how to direct traffic originating > from the LAN to the relevant other locations using SNAT (through the > IPSec gateway), and, in the reverse direction. > > Ideally I'd like the VPN to have its own class C IPs with -static- (or > known) addresses, so they are predictable, although I don't know how to > do this. Also I'd like all IPSec traffic to/from the LAN to go through > the IPSec gateway, although I don't know how to do this with Shorewall. > > Chances are good I can get any Libreswan questions answered by others, > but it's the DNAT and SNAT issues that I can't sort out from the docs > for this use-case.
There is no Shorewall configuration required for this. Presumably, you are assigning an address from a reserved subnet to IPSEC clients (rightsourceip=... in a Strongswan ipsec.conf). Simply route traffic to those ip addresses to the IPSEC endpoint VM. If you do that, you won't need the SNAT rule I gave you. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
