Re: [Shorewall-users] Traffic between two VPNs

Thu, 19 Nov 2020 10:58:00 -0800 

On 11/18/20 12:07 PM, shorew...@iotti.biz wrote:
> Hi all
> 
> I have a shorewall based firewall connected to a remote site via an IPSEc
> tunnel. Everything is ok with it. I just report some config lines, omitting
> the details for the sake of simplicity (at least for now).
> Zones:
> ipsec   ipv4
> loc     ipv4
> net     ipv4
> 
> hosts:
> ipsec   $FOFW_IF:172.21.0.0/24               ipsec
> 
> policy:
> loc   ipsec   ACCEPT
> 
> And as I said, I can access the ipsec zone from loc.
> 
> Now with the isolation needs, I built a new openvpn vpn, to make my roaming
> users connect from their home. I would like the traffic to flow from this
> openvpn vpn to the loc site, be masqueraded and then forwarded to the
> previus ipsec tunnes.
> 
> So I made:
> Zones:
> ovpn  ipv4
> 
> interfaces:
> ovpn  $OVPN_IF
> 
> policy:
> ovpn  ipsec   ACCEPT
> 
> plus a row in masq which masquerades the traffic (yes, on this box I still
> use masq and not snat, pls forgive me:).
> 
> Now, my traffic is blocked with a log line like this:
> Nov 18 18:18:45 fw1 kernel: Shorewall:ovpn-net:REJECT:IN=tun0 OUT=bond0 MAC=
> SRC=192.168.32.66 DST=172.21.0.122
> 
> I expected to see ovpn-ipsec:REJECT, not ovpn-net:REJECT (i.e. I expected
> not to have any reject, for the policy ACCEPT I made, but I expected to have
> traffic flow from ovpn to ipsec, and not from ovpn to net).
> 
> Having a look at shorewall show, I see two lines:
> 0     0 ovpn-ipsec  all  --  *      bond0.5  0.0.0.0/0
> 172.21.0.0/23      policy match dir out pol ipsec
> 4   240 ovpn-net  all  --  *      bond0.5  0.0.0.0/0            0.0.0.0/0
> policy match dir out pol none
> 
> It seems that the problem is in the "pol ipsec" in the first line, which
> does not apply to traffic from the ovpn zone. I can allow traffic in rules
> from ovpn to net:172.21.0.0/24 (the remote ipsec connected lan) but I just
> wonder if there is some better solution involving thaffic from ovpn to
> ipsec.
> 

You need to include the ovpn subnet in your ipsec configuration in the
same way as you include your local subnet.

-Tom
-- 
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                      \________________________________________

Attachment: OpenPGP_0x96E6B3F2423A4D10.asc
Description: application/pgp-keys

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to