Shorewall users - Apr 2007 - how to route a second vpn?

hi all,

i think i have a beginners problem
and hope you can help me out.

my box connects to two different vpns.

both connections are established.
the one connection has a leftsubnet of 192.168.0.0/24
which matches a physical network on device eth2 (192.168.0.1)

the other one is the problem now.

to connect, the vpn server (watchguard) expects 10.106.121.0 for
the leftsubnet. I don''t have any interface in that network.

how do i tackle this?
do i need a virtual device ?

thanks,
hlux



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

hans lux wrote:
> hi all,
> 
> i think i have a beginners problem
> and hope you can help me out.
> 
> my box connects to two different vpns.
> 
> both connections are established.
> the one connection has a leftsubnet of 192.168.0.0/24
> which matches a physical network on device eth2 (192.168.0.1)
> 
> the other one is the problem now.
> 
> to connect, the vpn server (watchguard) expects 10.106.121.0 for
> the leftsubnet. I don''t have any interface in that network.
> 
> how do i tackle this?
> do i need a virtual device ?
>
Does this question have anything to do with Shorewall? If so, I suspect that
the article you need is http://www.shorewall.net/IPSEC-2.6.html.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> hans lux wrote:
>> hi all,
>>
>> i think i have a beginners problem
>> and hope you can help me out.
>>
>> my box connects to two different vpns.
>>
>> both connections are established.
>> the one connection has a leftsubnet of 192.168.0.0/24
>> which matches a physical network on device eth2 (192.168.0.1)
>>
>> the other one is the problem now.
>>
>> to connect, the vpn server (watchguard) expects 10.106.121.0 for
>> the leftsubnet. I don''t have any interface in that network.
>>
>> how do i tackle this?
>> do i need a virtual device ?
>>
> 
> Does this question have anything to do with Shorewall? If so, I suspect
that
> the article you need is http://www.shorewall.net/IPSEC-2.6.html.
> 
> -Tom
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net''s Techsay panel and you''ll get the
chance to share your
> opinions on IT & business topics through brief surveys-and earn cash
>
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
thanks for you response tom.

i''ve read that article but can''t find the problem i have in
there.

at the moment i have the following situation

eth0 = inet
eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24

now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.

i tried masquerading, but the message i get is
kernel: Shorewall:FORWARD:REJECT:IN=eth2 OUT=eth2 SRC=192.168.0.15 
DST=10.106.99.31

do you have any ideas ?

thanks
hlux

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Tue, 2007-03-04 at 17:34 +0200, hans lux wrote:
> 
> i''ve read that article but can''t find the problem i have
in there.
That''s probably because this is not a shorewall problem.
> at the moment i have the following situation
> 
> eth0 = inet
> eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
> eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24
> 
> now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.
This is a routing problem and nothing to do with shorewall I think.

Have you tried this configuration without activating your shorewall
rules first to prove that it''s a shorewall problem?  There is nothing
about filtering or natting that should be needed to make this work.
It''s all in the routing.

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Brian J. Murrell wrote:
> On Tue, 2007-03-04 at 17:34 +0200, hans lux wrote:
>> i''ve read that article but can''t find the problem i
have in there.
> 
> That''s probably because this is not a shorewall problem.
> 
>> at the moment i have the following situation
>>
>> eth0 = inet
>> eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
>> eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24
>>
>> now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.
> 
> This is a routing problem and nothing to do with shorewall I think.
> 
> Have you tried this configuration without activating your shorewall
> rules first to prove that it''s a shorewall problem?  There is
nothing
> about filtering or natting that should be needed to make this work.
> It''s all in the routing.
The log message in Hans''s post indicates that the Shorewall zone
definition
is incorrect. See Shorewall FAQ 17. I suspect that eth2 needs an ipsec zone
defined on it in addition to an ipv4 zone.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Tom Eastep wrote:
> Brian J. Murrell wrote:
>> On Tue, 2007-03-04 at 17:34 +0200, hans lux wrote:
>>> i''ve read that article but can''t find the problem
i have in there.
>> That''s probably because this is not a shorewall problem.
>>
>>> at the moment i have the following situation
>>>
>>> eth0 = inet
>>> eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
>>> eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24
>>>
>>> now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.
>> This is a routing problem and nothing to do with shorewall I think.
>>
>> Have you tried this configuration without activating your shorewall
>> rules first to prove that it''s a shorewall problem?  There is
nothing
>> about filtering or natting that should be needed to make this work.
>> It''s all in the routing.
> 
> The log message in Hans''s post indicates that the Shorewall zone
definition
> is incorrect. See Shorewall FAQ 17. I suspect that eth2 needs an ipsec zone
> defined on it in addition to an ipv4 zone.
Or it may simply be missing the routeback option.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Brian J. Murrell wrote:
> On Tue, 2007-03-04 at 17:34 +0200, hans lux wrote:
>> i''ve read that article but can''t find the problem i
have in there.
> 
> That''s probably because this is not a shorewall problem.
> 
>> at the moment i have the following situation
>>
>> eth0 = inet
>> eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
>> eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24
>>
>> now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.
> 
> This is a routing problem and nothing to do with shorewall I think.
> 
> Have you tried this configuration without activating your shorewall
> rules first to prove that it''s a shorewall problem?  There is
nothing
> about filtering or natting that should be needed to make this work.
> It''s all in the routing.
> 
> b. 
thanks for you response.

I tried that, but without success.

With firewalling turned off
The router/firewall is connected to the local network 192.168.0.0/24 and
can send/receive icmp packages to network 192.168.0.0/24 over eth2
can send/receive icmp packages to network 10.106.121.0/24 over eth2:0
can send/receive icmp packages to network 10.106.99.0/24 over 10.106.121.1

the network 10.106.99.0/24 is established over a vpn tunnel

now I''d like to send/receive packages from any host in 192.168.0.0/24
to the network 10.106.99.0/24

I don''t know how to do the routing. I thought I had to masq the 
192.168.0.0/24 network to 10.106.121.0/24 because otherwise
the remote network 10.106.99.0/24 can''t send back packages.
the remote side only has a route to 10.106.121.0/24 but not to my
192.168.0.0/24 network.

or am I totally wrong ?

some help would be great.

thanks
hlux






-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

hans lux wrote:
> Brian J. Murrell wrote:
>> On Tue, 2007-03-04 at 17:34 +0200, hans lux wrote:
>>> i''ve read that article but can''t find the problem
i have in there.
>> That''s probably because this is not a shorewall problem.
>>
>>> at the moment i have the following situation
>>>
>>> eth0 = inet
>>> eth2   = local (192.168.0.0/24)------ tunnel ----- 192.168.33.0/24
>>> eth2:0 = local (10.106.121.0)----- tunnel ------ 10.106.99.0/24
>>>
>>> now i need to access the 10.106.99.0/24 from the 192.168.0.0/24.
>> This is a routing problem and nothing to do with shorewall I think.
>>
>> Have you tried this configuration without activating your shorewall
>> rules first to prove that it''s a shorewall problem?  There is
nothing
>> about filtering or natting that should be needed to make this work.
>> It''s all in the routing.
>>
>> b. 
> 
> thanks for you response.
> 
> I tried that, but without success.
> 
> With firewalling turned off
> The router/firewall is connected to the local network 192.168.0.0/24 and
> can send/receive icmp packages to network 192.168.0.0/24 over eth2
> can send/receive icmp packages to network 10.106.121.0/24 over eth2:0
> can send/receive icmp packages to network 10.106.99.0/24 over 10.106.121.1
> 
> the network 10.106.99.0/24 is established over a vpn tunnel
> 
> now I''d like to send/receive packages from any host in
192.168.0.0/24
> to the network 10.106.99.0/24
> 
> I don''t know how to do the routing. I thought I had to masq the 
> 192.168.0.0/24 network to 10.106.121.0/24 because otherwise
> the remote network 10.106.99.0/24 can''t send back packages.
> the remote side only has a route to 10.106.121.0/24 but not to my
> 192.168.0.0/24 network.
> 
> or am I totally wrong ?
> 
> some help would be great.
> 
> thanks
> hlux
the current routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags    Use Iface
in.et.ad.64     *               255.255.255.248 U          0 eth0
10.106.121.0    *               255.255.255.0   U          0 eth2
192.168.0.0     *               255.255.255.0   U          0 eth2
10.106.99.0     10.106.121.1    255.255.255.0   UG         0 eth2
10.106.99.0     in.et.ad.65     255.255.255.0   UG         0 eth0
169.254.0.0     *               255.255.0.0     U          0 eth2
172.16.0.0      *               255.255.0.0     U          0 eth1
default         in.et.ad.65     0.0.0.0         UG         0 eth0

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

On Wed, 2007-04-04 at 11:52 +0200, hans lux wrote:
> 
> With firewalling turned off
> The router/firewall is connected to the local network 192.168.0.0/24 and
> can send/receive icmp packages to network 192.168.0.0/24 over eth2
> can send/receive icmp packages to network 10.106.121.0/24 over eth2:0
> can send/receive icmp packages to network 10.106.99.0/24 over 10.106.121.1
Good.
> now I''d like to send/receive packages from any host in
192.168.0.0/24
> to the network 10.106.99.0/24
OK.  Do they know that to reach 10.106.99.0/24 they need to route via
the router/firewall (i.e. routing table on hosts in 192.168.0.0/24)?
Does the router know it''s supposed to be forwarding packets
(/proc/sys/net/ipv4/conf/*/forwarding)?
> I don''t know how to do the routing. I thought I had to masq the 
> 192.168.0.0/24 network to 10.106.121.0/24 because otherwise
> the remote network 10.106.99.0/24 can''t send back packages.
Ahhh.  Yes, that too. The hosts in both networks need to have routes
back to the network where packets could be coming from.
> the remote side only has a route to 10.106.121.0/24 but not to my
> 192.168.0.0/24 network.
You need to add routes to hosts on both networks telling them how to get
to the other network.

Some people do this with dynamic routing protocols, some people do it
with static routing.

Routing is inherently site-specific and O/S specific.  You will have to
investigate your options given your policies and operating systems
involved.

So far, this still doesn''t sound like a Shorewall problem (yet).

b.

-- 
My other computer is your Microsoft Windows server.

Brian J. Murrell


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV