Hi all I have a shorewall based firewall connected to a remote site via an IPSEc tunnel. Everything is ok with it. I just report some config lines, omitting the details for the sake of simplicity (at least for now). Zones: ipsec ipv4 loc ipv4 net ipv4
hosts: ipsec $FOFW_IF:172.21.0.0/24 ipsec policy: loc ipsec ACCEPT And as I said, I can access the ipsec zone from loc. Now with the isolation needs, I built a new openvpn vpn, to make my roaming users connect from their home. I would like the traffic to flow from this openvpn vpn to the loc site, be masqueraded and then forwarded to the previus ipsec tunnes. So I made: Zones: ovpn ipv4 interfaces: ovpn $OVPN_IF policy: ovpn ipsec ACCEPT plus a row in masq which masquerades the traffic (yes, on this box I still use masq and not snat, pls forgive me:). Now, my traffic is blocked with a log line like this: Nov 18 18:18:45 fw1 kernel: Shorewall:ovpn-net:REJECT:IN=tun0 OUT=bond0 MAC= SRC=192.168.32.66 DST=172.21.0.122 I expected to see ovpn-ipsec:REJECT, not ovpn-net:REJECT (i.e. I expected not to have any reject, for the policy ACCEPT I made, but I expected to have traffic flow from ovpn to ipsec, and not from ovpn to net). Having a look at shorewall show, I see two lines: 0 0 ovpn-ipsec all -- * bond0.5 0.0.0.0/0 172.21.0.0/23 policy match dir out pol ipsec 4 240 ovpn-net all -- * bond0.5 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none It seems that the problem is in the "pol ipsec" in the first line, which does not apply to traffic from the ovpn zone. I can allow traffic in rules from ovpn to net:172.21.0.0/24 (the remote ipsec connected lan) but I just wonder if there is some better solution involving thaffic from ovpn to ipsec. Thank you all, thanks Tom for your great software, best regards Luigi _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
