Shorewall users - Jul 2013 - new Shorewall + strongSwan blog

Hi Tom,

Thanks for the feedback about my Shorewall evaluation

I''ve published a blog today covering general things I''ve
observed about
the way to combine Shorewall with strongSwan:

http://danielpocock.com/practical-linux-vpns-with-strongswan-shorewall-and-openwrt

Please let me know if anything is inaccurate or if there is anything
substantial that I missed and I''ll correct it.

Regards,

Daniel



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

Hi all

I have specific problem with routing trough VPN links. Linux firewall, 2 
interfaces, one is LAN eth0 on C class 192.168.254.0/24, other is WAN 
eth1 with fixed public IP address, lets say it''s 200.12.12.12

On firewall I have IPSEC LAN-to-LAN VPN tunnel with remote network 
10.10.0.0/16, lets call it SiteA
On firewall I have one more PPTP tunnel with remote network 
192.168.20.0/24 with NAT on ppp85 interface, lets call it SiteB
Both tunnels are properly set up inside Shorewall and working OK.

On SiteB I have to reach 2 hosts with IP addresses 10.10.10.1 and 
10.10.11.1 - addreses from SiteA network

Here is entry in /etc/shorewall/masq
ppp85:192.168.20.0/24   192.168.254.0/24
ppp85:10.10.10.1        192.168.254.0/24        192.168.20.220
ppp85:10.10.11.1        192.168.254.0/24        192.168.20.220

I added routes to those 2 hosts trough ppp85 interfaces but traffic from 
LAN is not redirected trough PPTP link - it still goes trough IPSEC 
link. Routing table looks like this:
10.10.10.1      192.168.20.220  255.255.255.255 UGH       0 0          0 
ppp85
10.10.11.1      192.168.20.220  255.255.255.255 UGH       0 0          0 
ppp85
10.10.0.0       212.92.196.77   255.255.0.0     UG        0 0          0 
eth1

When I ping from firewall (ping goes directly trough ppp85 interface) i 
can reach those 2 hosts trough PPTP tunnel on SiteB but when I ping from 
my LAN or from firewall LAN interface traffic goes trough IPSEC link on 
SiteA and hosts are not reachable.

How can I reach those 2 hosts from LAN trough PPTP VPN link?

Thanks, regards

LaserLine mail poruka

*Ivica Glavocic*

ivica.glavocic@laserline.hr <mailto:ivica.glavocic@laserline.hr>


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 07/18/2013 04:53 AM, Ivica Glavocic wrote:
> Hi all
> 
> I have specific problem with routing trough VPN links. Linux firewall, 2 
> interfaces, one is LAN eth0 on C class 192.168.254.0/24, other is WAN 
> eth1 with fixed public IP address, lets say it''s 200.12.12.12
> 
> On firewall I have IPSEC LAN-to-LAN VPN tunnel with remote network 
> 10.10.0.0/16, lets call it SiteA
> On firewall I have one more PPTP tunnel with remote network 
> 192.168.20.0/24 with NAT on ppp85 interface, lets call it SiteB
> Both tunnels are properly set up inside Shorewall and working OK.
> 
> On SiteB I have to reach 2 hosts with IP addresses 10.10.10.1 and 
> 10.10.11.1 - addreses from SiteA network
> 
> Here is entry in /etc/shorewall/masq
> ppp85:192.168.20.0/24   192.168.254.0/24
> ppp85:10.10.10.1        192.168.254.0/24        192.168.20.220
> ppp85:10.10.11.1        192.168.254.0/24        192.168.20.220
> 
> I added routes to those 2 hosts trough ppp85 interfaces but traffic from 
> LAN is not redirected trough PPTP link - it still goes trough IPSEC 
> link. Routing table looks like this:
> 10.10.10.1      192.168.20.220  255.255.255.255 UGH       0 0          0 
> ppp85
> 10.10.11.1      192.168.20.220  255.255.255.255 UGH       0 0          0 
> ppp85
> 10.10.0.0       212.92.196.77   255.255.0.0     UG        0 0          0 
> eth1
> 
> When I ping from firewall (ping goes directly trough ppp85 interface) i 
> can reach those 2 hosts trough PPTP tunnel on SiteB but when I ping from 
> my LAN or from firewall LAN interface traffic goes trough IPSEC link on 
> SiteA and hosts are not reachable.
> 
> How can I reach those 2 hosts from LAN trough PPTP VPN link?
> 
No way that I know of. IPSEC overrides routing.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

On 18.7.2013 17:41, Tom Eastep wrote:
> On 07/18/2013 04:53 AM, Ivica Glavocic wrote:
>> Hi all
>>
>> I have specific problem with routing trough VPN links. Linux firewall,
2
>> interfaces, one is LAN eth0 on C class 192.168.254.0/24, other is WAN
>> eth1 with fixed public IP address, lets say it''s 200.12.12.12
>>
>> On firewall I have IPSEC LAN-to-LAN VPN tunnel with remote network
>> 10.10.0.0/16, lets call it SiteA
>> On firewall I have one more PPTP tunnel with remote network
>> 192.168.20.0/24 with NAT on ppp85 interface, lets call it SiteB
>> Both tunnels are properly set up inside Shorewall and working OK.
>>
>> On SiteB I have to reach 2 hosts with IP addresses 10.10.10.1 and
>> 10.10.11.1 - addreses from SiteA network
>>
>> Here is entry in /etc/shorewall/masq
>> ppp85:192.168.20.0/24   192.168.254.0/24
>> ppp85:10.10.10.1        192.168.254.0/24        192.168.20.220
>> ppp85:10.10.11.1        192.168.254.0/24        192.168.20.220
>>
>> I added routes to those 2 hosts trough ppp85 interfaces but traffic
from
>> LAN is not redirected trough PPTP link - it still goes trough IPSEC
>> link. Routing table looks like this:
>> 10.10.10.1      192.168.20.220  255.255.255.255 UGH       0 0         
0
>> ppp85
>> 10.10.11.1      192.168.20.220  255.255.255.255 UGH       0 0         
0
>> ppp85
>> 10.10.0.0       212.92.196.77   255.255.0.0     UG        0 0         
0
>> eth1
>>
>> When I ping from firewall (ping goes directly trough ppp85 interface) i
>> can reach those 2 hosts trough PPTP tunnel on SiteB but when I ping
from
>> my LAN or from firewall LAN interface traffic goes trough IPSEC link on
>> SiteA and hosts are not reachable.
>>
>> How can I reach those 2 hosts from LAN trough PPTP VPN link?
>>
> No way that I know of. IPSEC overrides routing.
>
> -Tom
>
Agree, I did some additional testing in past few days, no way I can make 
it work.
Thanks for the answer Tom.

With regards
Ivica

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk