Hi,
I have a fedora32 system with a libreswan IPsec server with
shorewall-5.2.3.5 and having some trouble configuring it to support
connections from a WIndows IPSec VPN. The Windows client connects
properly, but it cannot communicate with the local network.
I already have a host-to-gateway VPN using libreswan between this
server and another Linux host working properly, but the Windows client
is configured differently with libreswan so it needs to connect to a
different network.
The network looks like this:
Internet -> orion (68.195.111.42) -> internal network 1 (192.168.1.0/24)
-> internal
network 2 (192.168.6.0/24)
internal network 2 is the network used for the Windows clients. I'd
like to be able to connect these clients to the internal network 1. I
can currently ping the internal network 2 from a Windows client
connected to the libreswan server.
When trying to ping the internal network 1 from the Windows client,
there is no response, and using tcpdump appears to show no traffic.
The external interface on the server is br0 and the internal network 2
is on eth1:2. Is it necessary to add the eth1:2 interface (or just
eth1) to the hosts file for the VPN?
Also, if I start shorewall before bringing up the vpn for the client,
how are the rules for it created?
# ip route
default via 68.195.111.41 dev br0
68.195.111.40/29 dev br0 proto kernel scope link src 68.195.111.42
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
192.168.6.0/24 dev eth1 proto kernel scope link src 192.168.6.1
192.168.6.2 dev br0 scope link
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown
/etc/shorewall/tunnels
ipsec ext 0.0.0.0/0
# cat policy|grep vpn
vpn vpn ACCEPT
int vpn ACCEPT
vpn int ACCEPT
fw vpn ACCEPT
vpn fw ACCEPT
vpn ext ACCEPT
ext vpn ACCEPT
/etc/shorewall/zones
vpn ipsec mode=tunnel mss=1400
/etc/shorewall/hosts
vpn br0:0.0.0.0/0 ipsec
shorewall show ip
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP
group default qlen 1000
altname enp5s0f1
inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
valid_lft forever preferred_lft forever
inet 192.168.6.1/24 brd 192.168.6.255 scope global eth1:2
valid_lft forever preferred_lft forever
inet 192.168.1.2/24 brd 192.168.1.255 scope global secondary eth1:0
valid_lft forever preferred_lft forever
inet 192.168.1.100/24 brd 192.168.1.255 scope global secondary eth1:1
valid_lft forever preferred_lft forever
inet 192.168.1.101/24 brd 192.168.1.255 scope global secondary eth1:3
valid_lft forever preferred_lft forever
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
UP group default qlen 1000
inet 68.195.111.42/29 brd 68.195.111.47 scope global br0
valid_lft forever preferred_lft forever
inet 68.195.193.44/29 brd 68.195.111.47 scope global secondary br0:0
valid_lft forever preferred_lft forever
6: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
state DOWN group default qlen 1000
inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
valid_lft forever preferred_lft forever
shorewall show ipsec
src 192.168.6.0/24 dst 192.168.6.2/32 uid 0
dir out action allow index 32617 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
tmpl src 68.195.111.42 dst 172.58.238.253
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
dir fwd action allow index 32610 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use -
tmpl src 172.58.238.253 dst 68.195.111.42
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.6.2/32 dst 192.168.6.0/24 uid 0
dir in action allow index 32600 priority 2084799 ptype main
share any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:13
tmpl src 172.58.238.253 dst 68.195.111.42
proto esp spi 0x00000000(0) reqid 16417(0x00004021) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.58.238.253 dst 68.195.111.42
proto esp spi 0xc1163130(3239457072) reqid 16417(0x00004021) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
encap type espinudp sport 27040 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x4, oseq 0x0, bitmap 0x0000000f
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
240(bytes), 4(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
stats:
replay-window 0 replay 0 failed 0
src 68.195.111.42 dst 172.58.238.253
proto esp spi 0x273a4da8(658132392) reqid 16417(0x00004021) mode tunnel
replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
encap type espinudp sport 4500 dport 27040 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x4, bitmap 0x00000000
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
240(bytes), 4(packets)
add 2021-01-07 10:43:55 use 2021-01-07 10:45:10
stats:
replay-window 0 replay 0 failed 0
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
