Hi, I have an openswan server with the l2tpd daemon running in my testlab. If I am on the intranet (local) network I can connect to the server with my windows xp box with no probs, when I want to connect through shorewall it give me problems. I have worked a lot with ms ipsec/l2tp and applied the registry key/hack to support ipsec/l2tp connections over nat. I have looked at all vpn documents and sites on the internet but I can''t figure out what rules etc. I need. This is what I have so far: (as you can see I use private ip addresses in my testlab, 192.168.0.0 I used for internet simulation) Rules: ################################################################### ### CONFIG SETTINGS FOR VPN SERVER ################################################################### ACCEPT loc:10.0.0.1 net udp 500 ACCEPT loc:10.0.0.1 net udp 4500 ACCEPT loc:10.0.0.1 net 50 ACCEPT loc:10.0.0.1 net udp 1701 #DNAT net loc:10.0.0.1 tcp 22 DNAT net loc:10.0.0.1 udp 1701 DNAT net loc:10.0.0.1 udp - 500 192.168.0.52 DNAT net loc:10.0.0.1 udp 4500 DNAT net loc:10.0.0.1 50 - - 192.168.0.52 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE I tried the vpn doc for tunnel settings etc. add vpn zone to policy etc, but it doesn''t work. Who has the answer for me. Thanks in advance. Regards, Rob
> Rules: > > ################################################################### > > ### CONFIG SETTINGS FOR VPN SERVER > > ################################################################### > > ACCEPT loc:10.0.0.1 net udp 500 > > ACCEPT loc:10.0.0.1 net udp 4500 > > ACCEPT loc:10.0.0.1 net 50 > > ACCEPT loc:10.0.0.1 net udp 1701 > > > > #DNAT net loc:10.0.0.1 tcp 22 > > DNAT net loc:10.0.0.1 udp 1701 > > DNAT net loc:10.0.0.1 udp - 500 > 192.168.0.52 > > DNAT net loc:10.0.0.1 udp 4500 > > DNAT net loc:10.0.0.1 50 - - > 192.168.0.52 > > #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE > > > > > > I tried the vpn doc for tunnel settings etc. add vpn zone to policy etc,but> it doesn''t work. > > > > Who has the answer for me.Think you need to provide all the config files and a shorewall status, before I open my yap. Jerry Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Please don''t post in HTML -- gross waste of bandwidth. Rob Mokkink wrote:> I have an openswan server with the l2tpd daemon running in my testlab. > > > > If I am on the intranet (local) network I can connect to the server with > my windows xp box with no probs, when I want to connect through > shorewall it give me problems. > > I have worked a lot with ms ipsec/l2tp and applied the registry key/hack > to support ipsec/l2tp connections over nat. > > > > I have looked at all vpn documents and sites on the internet but I can’t > figure out what rules etc. I need. > > > > This is what I have so far: (as you can see I use private ip addresses > in my testlab, 192.168.0.0 I used for internet simulation) > > > I tried the vpn doc for tunnel settings etc. add vpn zone to policy etc, > but it doesn’t work.Hardly surprising since the "VPN doc" deals only with the case where the firewall itself is the VPN end-point whereas your VPN server is *behind* the firewall. Here is what I suggest you do. a) "shorewall clear" b) Add a second IP address on the firewall''s external interface -- call the address $IP and the interface $IF (ip addr add $IP/24 brd 192.168.0.255 dev $IF) e) Be sure that the default route on the server (whose IP address is assumed to be 10.0.0.1 from your post) goes through the IP address of the firewall''s internal interface (it better be doing that already). d) On the firewall, run these two commands iptables -A PREROUTING -t nat -i $IF -d $IP -j DNAT --to-dest 10.0.0.1 iptables -A POSTROUTING -t nat -o $IF -s 10.0.0.1 -j SNAT --to-source $IP That has established: a) A wide open firewall (no filtering) b) one-to-one NAT between $IP and 10.0.0.1 Now try establishing a VPN connection from an "external" client to $IP. If that doesn''t work then you have problems not related to Shorewall. If that does work then use a packet sniffer like Ethereal or tcpdump to see exactly what traffic is exchanged between the hosts during connection. I have an IPSEC/L2TP client that connects to a remote server through NAT but I don''t have a server here locally so I can''t reproduce your scenario exactly. My own tests show though that all the traffic is UDP to ports 500 and 4500 so at most four Shorewall rules should be required (two if the loc->net policy is ACCEPT). DNAT net loc:10.0.0.1 udp 500 DNAT net loc:10.0.0.1 udp 4500 ACCEPT loc:10.0.0.1 net udp 500 ACCEPT loc:10.0.0.1 net udp 4500 If you have those rules in place and things still don''t work then you are going to have to follow Jerry''s advise and send us config and status information because the problem isn''t with the rules but somewhere else in your configuration. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key