i have a tunnel up and running in net-to-net environment. when there is no security i can ping hosts behind gateways. once i start shorewall i cannot ping host''s behind gw. so the big question is how/what files do i need to configure to allow all traffic between networks? any help is appreciated! +ipsec0 is the virtual interface +i am using fc4 kernel 2.6.12.5 +openswan 2.4.0rc4 (klips) +shorewall 2.4.3 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Put the ipsec0 interface into its own zone. Let''s call it "ipsec". Then in policies, create a rule like this: ACCEPT ipsec loc This allows all traffic from the IPSec interface to the LAN. You may also want to create a policy like this: ACCEPT loc ipsec If another policy does not already allow loc to access the ipsec zone. ________________________________________ Chip Burke -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Vishal Dubey Sent: Monday, August 29, 2005 3:06 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] secuing the ipsec0 tunnel i have a tunnel up and running in net-to-net environment. when there is no security i can ping hosts behind gateways. once i start shorewall i cannot ping host''s behind gw. so the big question is how/what files do i need to configure to allow all traffic between networks? any help is appreciated! +ipsec0 is the virtual interface +i am using fc4 kernel 2.6.12.5 +openswan 2.4.0rc4 (klips) +shorewall 2.4.3 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Vishal Dubey wrote:> i have a tunnel up and running in net-to-net environment. when there is > no security i can ping hosts behind gateways. once i start shorewall i > cannot ping host''s behind gw. > > so the big question is how/what files do i need to configure to allow > all traffic between networks? > > any help is appreciated! > > +ipsec0 is the virtual interface > +i am using fc4 kernel 2.6.12.5 > +openswan 2.4.0rc4 (klips) > +shorewall 2.4.3 >http://www.shorewall.net/IPSEC.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
thanks you for the help.. i''ll give it a try... Chip Burke wrote:>Put the ipsec0 interface into its own zone. Let''s call it "ipsec". Then in >policies, create a rule like this: > >ACCEPT ipsec loc > >This allows all traffic from the IPSec interface to the LAN. You may also >want to create a policy like this: > >ACCEPT loc ipsec > >If another policy does not already allow loc to access the ipsec zone. > >________________________________________ >Chip Burke > > >-----Original Message----- >From: shorewall-users-admin@lists.sourceforge.net >[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Vishal >Dubey >Sent: Monday, August 29, 2005 3:06 PM >To: shorewall-users@lists.sourceforge.net >Subject: [Shorewall-users] secuing the ipsec0 tunnel > >i have a tunnel up and running in net-to-net environment. when there is >no security i can ping hosts behind gateways. once i start shorewall i >cannot ping host''s behind gw. > >so the big question is how/what files do i need to configure to allow >all traffic between networks? > >any help is appreciated! > >+ipsec0 is the virtual interface >+i am using fc4 kernel 2.6.12.5 >+openswan 2.4.0rc4 (klips) >+shorewall 2.4.3 > > > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > >------------------------------------------------------- >SF.Net email is Sponsored by the Better Software Conference & EXPO >September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices >Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA >Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf >_______________________________________________ >Shorewall-users mailing list >Shorewall-users@lists.sourceforge.net >https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
thanks for the point to doc.... Tom Eastep wrote:>Vishal Dubey wrote: > > >>i have a tunnel up and running in net-to-net environment. when there is >>no security i can ping hosts behind gateways. once i start shorewall i >>cannot ping host''s behind gw. >> >>so the big question is how/what files do i need to configure to allow >>all traffic between networks? >> >>any help is appreciated! >> >>+ipsec0 is the virtual interface >>+i am using fc4 kernel 2.6.12.5 >>+openswan 2.4.0rc4 (klips) >>+shorewall 2.4.3 >> >> >> > >http://www.shorewall.net/IPSEC.htm > >-Tom >-- >Tom Eastep \ Nothing is foolproof to a sufficiently talented fool >Shoreline, \ http://shorewall.net >Washington USA \ teastep@shorewall.net >PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key > >
Vishal Dubey wrote:> thanks for the point to doc.... >Note that since you have an ''ipsec0'' device, you need to follow the ''2.4 Kernel'' documentation rather than the ''2.6 Kerne'' instructions. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key