On 11/18/20 12:07 PM, shorew...@iotti.biz wrote: > Hi all > > I have a shorewall based firewall connected to a remote site via an IPSEc > tunnel. Everything is ok with it. I just report some config lines, omitting > the details for the sake of simplicity (at least for now). > Zones: > ipsec ipv4 > loc ipv4 > net ipv4 > > hosts: > ipsec $FOFW_IF:172.21.0.0/24 ipsec > > policy: > loc ipsec ACCEPT > > And as I said, I can access the ipsec zone from loc. > > Now with the isolation needs, I built a new openvpn vpn, to make my roaming > users connect from their home. I would like the traffic to flow from this > openvpn vpn to the loc site, be masqueraded and then forwarded to the > previus ipsec tunnes. > > So I made: > Zones: > ovpn ipv4 > > interfaces: > ovpn $OVPN_IF > > policy: > ovpn ipsec ACCEPT > > plus a row in masq which masquerades the traffic (yes, on this box I still > use masq and not snat, pls forgive me:). > > Now, my traffic is blocked with a log line like this: > Nov 18 18:18:45 fw1 kernel: Shorewall:ovpn-net:REJECT:IN=tun0 OUT=bond0 MAC= > SRC=192.168.32.66 DST=172.21.0.122 > > I expected to see ovpn-ipsec:REJECT, not ovpn-net:REJECT (i.e. I expected > not to have any reject, for the policy ACCEPT I made, but I expected to have > traffic flow from ovpn to ipsec, and not from ovpn to net). > > Having a look at shorewall show, I see two lines: > 0 0 ovpn-ipsec all -- * bond0.5 0.0.0.0/0 > 172.21.0.0/23 policy match dir out pol ipsec > 4 240 ovpn-net all -- * bond0.5 0.0.0.0/0 0.0.0.0/0 > policy match dir out pol none > > It seems that the problem is in the "pol ipsec" in the first line, which > does not apply to traffic from the ovpn zone. I can allow traffic in rules > from ovpn to net:172.21.0.0/24 (the remote ipsec connected lan) but I just > wonder if there is some better solution involving thaffic from ovpn to > ipsec. >
You need to include the ovpn subnet in your ipsec configuration in the same way as you include your local subnet. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________
OpenPGP_0x96E6B3F2423A4D10.asc
Description: application/pgp-keys
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users