Hi everyone! First of all, sorry about my bad English and the e-mails extension. I need some help to implement a VPN connection using shorewall and openswan as IPSec Tunnel. My network map: CLIENT VPN APPLIANCE --> +++INTERNET+++ --> FIREWALL --> OPENSWAN SERVER (DMZ) I have two VPN connections with two different subnets to the other end. The two of then are correctly established. One of my doubts is how to configure the hosts, tunnels and zones stuff linking to the VPN server on DMZ. I have this files from now: shorewall 1 zones: xxx conn1 ipv4 conn2 ipv4 tunnels: ipsec net 200.xxx.xxx.xxx hosts: conn1 eth0:192.168.102.0/24,200.xxx.xxx.xxx ipsec conn2 eth0:10.201.136.0/21,200.xxx.xxx.xxx ipsec policy: conn1 $FW ACCEPT info conn2 $FW ACCEPT info $FW conn1 ACCEPT info $FW conn2 ACCEPT info dmz conn1 ACCEPT info dmz conn2 ACCEPT info rules: DNAT conn1 dmz:192.168.1.224 DNAT conn2 dmz:192.168.1.224 Are they correct? The 192.168.1.224 is the server running Openswan (eht0 only). On this server, I''m running another shorewall (accepting everything incoming ant outcoming). When reaching the vpn server, I nat''ing 3 specifics ports to another two servers on DMZ. Apparently, here is the problem. The second subnet (10.x.x.x), and the most important one, is not comunicating properly. I think my second firewall is not working correctly. shorewall 2 rules: DNAT all net:192.168.1.xxx udp xxx DNAT all net:192.168.1.xxx udp xxx DNAT all net:192.168.1.xxx tcp xxx Are this rules correct? I need to implement tunels and hosts files on this shorewall too? Best regards, João K. ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
João Kuchnier wrote:> Hi everyone! > > First of all, sorry about my bad English and the e-mails extension. > > I need some help to implement a VPN connection using shorewall and > openswan as IPSec Tunnel. > > My network map: > > CLIENT VPN APPLIANCE --> +++INTERNET+++ --> FIREWALL --> OPENSWAN SERVER > (DMZ) > > I have two VPN connections with two different subnets to the other end. > The two of then are correctly established. > > One of my doubts is how to configure the hosts, tunnels and zones stuff > linking to the VPN server on DMZYou don''t. You only need to worry about those when the IPSEC endpoint is on the firewall. What you want is described at http://www.shorewall.net/VPN.htm. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
Tom, Thanks for your help. I manage do configure IPSec connection through firewall using the rules specified at http://www.shorewall.net/VPN.htm with nat transversal. Now, my only problem is using shorewall on the VPN Server. The rules I mentioned before are correct? RULES DNAT all net:192.168.1.xxx udp 2000 DNAT all net:192.168.1.xxx udp 2010 DNAT all net:192.168.1.xxx tcp 2004 I need to nat specific packages coming from VPN connection to another two servers. This servers needs to respond this packages using the ipsec tunnel. João 2009/6/10 Tom Eastep <teastep@shorewall.net>> João Kuchnier wrote: > > Hi everyone! > > > > First of all, sorry about my bad English and the e-mails extension. > > > > I need some help to implement a VPN connection using shorewall and > > openswan as IPSec Tunnel. > > > > My network map: > > > > CLIENT VPN APPLIANCE --> +++INTERNET+++ --> FIREWALL --> OPENSWAN SERVER > > (DMZ) > > > > I have two VPN connections with two different subnets to the other end. > > The two of then are correctly established. > > > > One of my doubts is how to configure the hosts, tunnels and zones stuff > > linking to the VPN server on DMZ > > You don''t. You only need to worry about those when the IPSEC endpoint is > on the firewall. What you want is described at > http://www.shorewall.net/VPN.htm. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
João Kuchnier wrote:> Tom, > > Thanks for your help. I manage do configure IPSec connection through > firewall using the rules specified at http://www.shorewall.net/VPN.htm > with nat transversal. > > Now, my only problem is using shorewall on the VPN Server. The rules I > mentioned before are correct? > > RULES > DNAT all net:192.168.1.xxx udp 2000 > DNAT all net:192.168.1.xxx udp 2010 > DNAT all net:192.168.1.xxx tcp 2004 > > I need to nat specific packages coming from VPN connection to another > two servers. This servers needs to respond this packages using the ipsec > tunnel.I''m sorry but I''m completely confused about what you are trying to do. So I can''t say whether those rules are correct or not. It looks to me like you are trying to use routing/DNAT to ''help'' IPSEC where IPSEC could probably do what you want by itself. It strikes me that 192.168.1.xxx will probably send its responses to the redirected requests back through your main firewall rather than through the VPN server which, of course, won''t work. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
2009/6/10 Tom Eastep <teastep@shorewall.net>> João Kuchnier wrote: > > Tom, > > > > Thanks for your help. I manage do configure IPSec connection through > > firewall using the rules specified at http://www.shorewall.net/VPN.htm > > with nat transversal. > > > > Now, my only problem is using shorewall on the VPN Server. The rules I > > mentioned before are correct? > > > > RULES > > DNAT all net:192.168.1.xxx udp 2000 > > DNAT all net:192.168.1.xxx udp 2010 > > DNAT all net:192.168.1.xxx tcp 2004 > > > > I need to nat specific packages coming from VPN connection to another > > two servers. This servers needs to respond this packages using the ipsec > > tunnel. > > I''m sorry but I''m completely confused about what you are trying to do. > So I can''t say whether those rules are correct or not. >--> Sorry, I will try to explain better...> > It looks to me like you are trying to use routing/DNAT to ''help'' IPSEC > where IPSEC could probably do what you want by itself. It strikes me > that 192.168.1.xxx will probably send its responses to the redirected > requests back through your main firewall rather than through the VPN > server which, of course, won''t work.--> Yes, something like this. The firewall running on the openswan server (only one interface), besides accepting every conection, will nat three types of connections to two different servers. On this two servers, I created two routes for them to respond vpn incoming packages. The gateway of this rules are directed to the openswan server. Routes on one of the other servers on dmz... 192.168.102.0 192.168.1.224 255.255.255.0 UG 0 0 0 eth2 10.201.136.0 192.168.1.224 255.255.248.0 UG 0 0 0 eth2 Do you think the request response can get through vpn connection? João ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
João Kuchnier wrote:> > 2009/6/10 Tom Eastep <teastep@shorewall.net <mailto:teastep@shorewall.net>> > > João Kuchnier wrote: > > Tom, > > > > Thanks for your help. I manage do configure IPSec connection through > > firewall using the rules specified at http://www.shorewall.net/VPN.htm > > with nat transversal. > > > > Now, my only problem is using shorewall on the VPN Server. The rules I > > mentioned before are correct? > > > > RULES > > DNAT all net:192.168.1.xxx udp 2000 > > DNAT all net:192.168.1.xxx udp 2010 > > DNAT all net:192.168.1.xxx tcp 2004 > > > > I need to nat specific packages coming from VPN connection to another > > two servers. This servers needs to respond this packages using the > ipsec > > tunnel. > > I''m sorry but I''m completely confused about what you are trying to do. > So I can''t say whether those rules are correct or not. > > > --> Sorry, I will try to explain better... > > > > It looks to me like you are trying to use routing/DNAT to ''help'' IPSEC > where IPSEC could probably do what you want by itself. It strikes me > that 192.168.1.xxx will probably send its responses to the redirected > requests back through your main firewall rather than through the VPN > server which, of course, won''t work. > > > --> Yes, something like this. The firewall running on the openswan > server (only one interface), besides accepting every conection, will nat > three types of connections to two different servers. On this two > servers, I created two routes for them to respond vpn incoming packages. > The gateway of this rules are directed to the openswan server. > > Routes on one of the other servers on dmz... > 192.168.102.0 192.168.1.224 255.255.255.0 UG 0 0 0 eth2 > 10.201.136.0 192.168.1.224 255.255.248.0 UG 0 0 0 eth2 > > Do you think the request response can get through vpn connection?I don''t know. I still don''t understand why you have this complicated configuration with multiple tunnels and DNAT on two different systems. There has to be a better way, but none of us reading this thread can figure out what it is you are really trying to accomplish. So I can only advise you to try the connection and see what happens. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
I am doing this because I was not authorized to create a vpn server on the main firewall because it is a client remote server 5000km from where my company is. If something happens on this server, our support could cost at least one day to get there. This would shutdown our electronic ticketing system communication. The configuration would be much more simpler with openswan running on main firewall. I will test this connections and try post the logs here. Thanks for your help! João 2009/6/10 Tom Eastep <teastep@shorewall.net>> João Kuchnier wrote: > > > > 2009/6/10 Tom Eastep <teastep@shorewall.net <mailto: > teastep@shorewall.net>> > > > > João Kuchnier wrote: > > > Tom, > > > > > > Thanks for your help. I manage do configure IPSec connection > through > > > firewall using the rules specified at > http://www.shorewall.net/VPN.htm > > > with nat transversal. > > > > > > Now, my only problem is using shorewall on the VPN Server. The > rules I > > > mentioned before are correct? > > > > > > RULES > > > DNAT all net:192.168.1.xxx udp 2000 > > > DNAT all net:192.168.1.xxx udp 2010 > > > DNAT all net:192.168.1.xxx tcp 2004 > > > > > > I need to nat specific packages coming from VPN connection to > another > > > two servers. This servers needs to respond this packages using the > > ipsec > > > tunnel. > > > > I''m sorry but I''m completely confused about what you are trying to > do. > > So I can''t say whether those rules are correct or not. > > > > > > --> Sorry, I will try to explain better... > > > > > > > > It looks to me like you are trying to use routing/DNAT to ''help'' > IPSEC > > where IPSEC could probably do what you want by itself. It strikes me > > that 192.168.1.xxx will probably send its responses to the redirected > > requests back through your main firewall rather than through the VPN > > server which, of course, won''t work. > > > > > > --> Yes, something like this. The firewall running on the openswan > > server (only one interface), besides accepting every conection, will nat > > three types of connections to two different servers. On this two > > servers, I created two routes for them to respond vpn incoming packages. > > The gateway of this rules are directed to the openswan server. > > > > Routes on one of the other servers on dmz... > > 192.168.102.0 192.168.1.224 255.255.255.0 UG 0 0 0 > eth2 > > 10.201.136.0 192.168.1.224 255.255.248.0 UG 0 0 0 > eth2 > > > > Do you think the request response can get through vpn connection? > > I don''t know. I still don''t understand why you have this complicated > configuration with multiple tunnels and DNAT on two different systems. > There has to be a better way, but none of us reading this thread can > figure out what it is you are really trying to accomplish. > > So I can only advise you to try the connection and see what happens. > > -Tom > -- > Tom Eastep \ When I die, I want to go like my Grandfather who > Shoreline, \ died peacefully in his sleep. Not screaming like > Washington, USA \ all of the passengers in his car > http://shorewall.net \________________________________________________ > > > > ------------------------------------------------------------------------------ > Crystal Reports - New Free Runtime and 30 Day Trial > Check out the new simplified licensing option that enables unlimited > royalty-free distribution of the report engine for externally facing > server and web deployment. > http://p.sf.net/sfu/businessobjects > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects