cmisip
2003-Aug-03 10:49 UTC
[Shorewall-users] Solved ! another ipsec(frees/wan and shorewall question:host to host(router)vpn and internet access
Thank You very much for your time and effort. I have managed to successfully bring up the ipsec tunnel between the laptop and the linuxrouter and now all wireless communication is encrypted even for packets destined for the internet. It was not a configuration issue in shorewall at all but with ipsec.conf. I did not supply a rightsubnet in the laptop ipsec.conf and a leftsubnet in the linuxrouter ipsec.conf. I thought I did not need this in a host to host vpn setup. It turns out that this setting controls what of the remote network you are able to access. Omitting this sets the default rightsubnet on the laptop to point to just the linuxrouter and so packets destined for the internet are dropped by the ipsec connection and not forwarded to shorewall for masquerading. I set the laptop rightsubnet and the linuxrouter leftsubnet to "0.0.0.0/0 and brought the tunnel up. I ran into another snag, apparently, there is a problem with one of the default conns of freeswan, specifically the conn-private-or-clear. It is preventing me from setting the eroute to "0.0.0.0/0". I specified the conn private-or-clear in ipsec.conf and set auto=ignore just to override it. Now the tunnel can be brought up without any errors and internet access is possible and encrypted. I setup a couple of other tunnels for the other machines in the lan and now all wireless communication is encrypted. Thank You Again.
Joshua Banks
2003-Aug-03 16:04 UTC
[Shorewall-users] Re: Solved ! another ipsec(frees/wan and shorewall question:host to host(router)vpn and internet access
Nice job Cmisip, You should write up a detailed document on this and pass it out. JBanks --- cmisip <cmisip@insightbb.com> wrote:> Thank You very much for your time and effort. I > have managed to > successfully bring up the ipsec tunnel between the > laptop and the > linuxrouter and now all wireless communication is > encrypted even for > packets destined for the internet. It was not a > configuration issue in > shorewall at all but with ipsec.conf. I did not > supply a rightsubnet in > the laptop ipsec.conf and a leftsubnet in the > linuxrouter ipsec.conf. I > thought I did not need this in a host to host vpn > setup. It turns out > that this setting controls what of the remote > network you are able to > access. Omitting this sets the default rightsubnet > on the laptop to > point to just the linuxrouter and so packets > destined for the internet > are dropped by the ipsec connection and not > forwarded to shorewall for > masquerading. I set the laptop rightsubnet and the > linuxrouter > leftsubnet to "0.0.0.0/0 and brought the tunnel up. > I ran into another > snag, apparently, there is a problem with one of the > default conns of > freeswan, specifically the conn-private-or-clear. > It is preventing me > from setting the eroute to "0.0.0.0/0". I specified > the conn > private-or-clear in ipsec.conf and set auto=ignore > just to override it. > Now the tunnel can be brought up without any errors > and internet access > is possible and encrypted. I setup a couple of other > tunnels for the > other machines in the lan and now all wireless > communication is > encrypted. Thank You Again. > > >__________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com