Hi, I have setup shorewall ipsec (Openswan) according to http://www.shorewall.net/IPSEC-2.6.html, and it works fine with subnet2subnet ipsec tunnels. Creating firewall rules using the vpn zone is also working. Have to say that Shorewall and Openswan combined is a powerful solution that gives appliances from companies such as Cisco a run for it''s money... But, I wanted to try MASQ''ing the local subnet to a single ip, I found another post on this mailling list where the following was suggested in the MASQ file: # file: masq #INTERFACE SUBNET ADDRESS eth0::$B_SIDE_IP_RANGE $A_SIDE_IP_RANGE $SINGLE_IP_ADDRESS And, this kinda works, but only if I have a rule like this in my rules: # file: rules ACCEPT loc net I already have rules like this: ACCEPT loc vpn ACCEPT vpn loc Here are the files I changed for ipsec in my config: # file: hosts #ZONE HOST(S) OPTIONS vpn eth0:10.233.233.0/24 ipsec # file: zones #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS vpn ipv4 fw firewall net ipv4 loc ipv4 # file: tunnels ipsec net $REMOTE_IPSEC_PEER_IP Without MASQ it works without the additional "ACCEPT loc net" line in rules. So my question is, is this correct, meaning is the "ACCEPT loc net" rule required ? Or is there something wrong with my configuration so that shorewall don''t pickup the vpn zone when I added MASQ''ing ? I should also add that the SINGLE_IP_ADDRESS I want to "MASQ with" is another IP address from the same subnet as eth0 (the net interface). Tor ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Tor Arne Rein wrote:> # file: masq > #INTERFACE SUBNET ADDRESS > eth0::$B_SIDE_IP_RANGE $A_SIDE_IP_RANGE $SINGLE_IP_ADDRESS > > And, this kinda works, but only if I have a rule like this in my rules: > > # file: rules > ACCEPT loc netAnd Shorewall is complaining that the above rule is a policy and should be placed in the policy file. The rule would be: ACCEPT loc:$A_SIDE_IP_RANGE net:$B_SIDE_IP_RANGE> > I already have rules like this: > > ACCEPT loc vpn > ACCEPT vpn loc > > Here are the files I changed for ipsec in my config:Looking at single entries out of context doesn''t tell us much of anything. That''s why we always ask that problem reports be accompanied by the output of ''shorewall dump'' collected as described at http://www.shorewall.net/support.htm#Guidelines.> > # file: hosts > #ZONE HOST(S) OPTIONS > vpn eth0:10.233.233.0/24 ipsec > > # file: zones > #ZONE TYPE OPTIONS IN OUT > # OPTIONS OPTIONS > vpn ipv4 > fw firewall > net ipv4 > loc ipv4 > > # file: tunnels > ipsec net $REMOTE_IPSEC_PEER_IP > > > Without MASQ it works without the additional "ACCEPT loc net" line in rules. > > So my question is, is this correct, meaning is the "ACCEPT loc net" rule required ? > Or is there something wrong with my configuration so that shorewall don''t pickup the vpn zone when I added MASQ''ing ? > I should also add that the SINGLE_IP_ADDRESS I want to "MASQ with" is another IP address > from the same subnet as eth0 (the net interface). >Did you also change your OpenSwan configuration to only include $SINGLE_IP_ADDRESS on the A side? That would explain what you are seeing. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Hi,>> >> # file: rules >> ACCEPT loc net > > And Shorewall is complaining that the above rule is a policy and should > be placed in the policy file. The rule would be: > > ACCEPT loc:$A_SIDE_IP_RANGE net:$B_SIDE_IP_RANGEThat was just a simplified example, I would use ip addresses in the rules normally, but in the attached dump I have changed to policy instead.> Looking at single entries out of context doesn''t tell us much of > anything. That''s why we always ask that problem reports be accompanied > by the output of ''shorewall dump'' collected as described at > http://www.shorewall.net/support.htm#Guidelines.I have attached the output of ''shorewall dump'', it also includes the log of where it''s blocking: Dec 15 02:33:56 loc2net:REJECT:IN=eth1 OUT=eth0 SRC=10.90.90.2 DST=10.233.233.10 \ LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=62446 DF PROTO=TCP SPT=32818 DPT=2000> Did you also change your OpenSwan configuration to only include > $SINGLE_IP_ADDRESS on the A side? That would explain what you are seeing.Yes, and I know the ipsec tunnel is working since I am able to connect to the other side when I added the additional "ACCEPT loc net" rule/policy, as shown by this output from netstat on the other side of the tunnel: tcp 0 0 10.233.233.10:2000 195.159.177.101:32806 ESTABLISHED 22831/nc BTW: I am using shorewall 4.2.2 on Centos5.2, with openswan-2.6.14-1.el5_2.1 rpm, using NETKEY as ipsec stack. The "other side" is a Cisco VPN router. Tor ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Tor Arne Rein wrote:> Hi, > >>> # file: rules >>> ACCEPT loc net >> And Shorewall is complaining that the above rule is a policy and should >> be placed in the policy file. The rule would be: >> >> ACCEPT loc:$A_SIDE_IP_RANGE net:$B_SIDE_IP_RANGE > > That was just a simplified example, I would use ip addresses in the rules normally, > but in the attached dump I have changed to policy instead. > >> Looking at single entries out of context doesn''t tell us much of >> anything. That''s why we always ask that problem reports be accompanied >> by the output of ''shorewall dump'' collected as described at >> http://www.shorewall.net/support.htm#Guidelines. > > I have attached the output of ''shorewall dump'', it also includes the log of where > it''s blocking: > > Dec 15 02:33:56 loc2net:REJECT:IN=eth1 OUT=eth0 SRC=10.90.90.2 DST=10.233.233.10 \ > LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=62446 DF PROTO=TCP SPT=32818 DPT=2000 > >> Did you also change your OpenSwan configuration to only include >> $SINGLE_IP_ADDRESS on the A side? That would explain what you are seeing. > > Yes, and I know the ipsec tunnel is working since I am able to connect to the other side > when I added the additional "ACCEPT loc net" rule/policy, as shown by this output from > netstat on the other side of the tunnel: > > tcp 0 0 10.233.233.10:2000 195.159.177.101:32806 > ESTABLISHED 22831/ncIt is working as expected. You have no SPD entries covering 10.90.90.* <-> 10.233.233.* and hence a connection from 10.90.90.2 -> 10.233.233.10 is loc->net traffic, not loc->vpn. -Tom ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/