Christian Lox wrote:> Hi! > > I am using shorewall since quit a time and its a real great tool. > We did use also Ipsec tunnels and now our gateway has moved from the > shorewall machien itself to a dedicated Ipsec Gateway machine which > runs in the dmz. > But now the tunnels do not come up, since I cannot figure how to > configure shorewall. > It drops like this: > Shorewall:net2all:DROP:IN=eth2 OUT=eth1 SRC=xxx.xxx.xx.x > DST=xx.x.xx.xx LEN=204 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP > SPT=500 DPT=500 LEN=184 >As stated in several places in the Shorewall documentation, for IPSEC you must allow UDP port 500 and protocol 50 (and protocol 51 if you aren''t using any form of NAT) between the VPN gateways. You don''t say how you manage your DMZ (Proxy ARP, NAT, Masquerade, Routed) so I can''t give you the exact rules but you might find http://www.shorewall.net/VPN.htm helpful. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Hi! I am using shorewall since quit a time and its a real great tool. We did use also Ipsec tunnels and now our gateway has moved from the shorewall machien itself to a dedicated Ipsec Gateway machine which runs in the dmz. But now the tunnels do not come up, since I cannot figure how to configure shorewall. It drops like this: Shorewall:net2all:DROP:IN=eth2 OUT=eth1 SRC=xxx.xxx.xx.x DST=xx.x.xx.xx LEN=204 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=500 DPT=500 LEN=184 Any hint appreciated! Thanks in advance, Christian -- we reject: kings, presidents, religions we accept: working code
Christian Lox wrote:> Tom Eastep schrieb: > >>As stated in several places in the Shorewall documentation, for IPSEC you >>must allow UDP port 500 and protocol 50 (and protocol 51 if you aren''t >>using any form of NAT) between the VPN gateways. You don''t say how you >>manage your DMZ (Proxy ARP, NAT, Masquerade, Routed) so I can''t give you >>the exact rules but you might find http://www.shorewall.net/VPN.htm helpful. >> > > > Ok, i changed the rules mentioned there so they fit our older > version used here. > Another stupid question remains: > The box doing the VPN gateway works; now shall packets for > 192.168.12.x be routed there, so they can be passed through the > tunnel.Yes.> 192.168.12.x is the LAN on the other side of the tunnel. > I did set up a static route on the shorewall box to send it to the > gateway on our side but the packets get dropped by shorewall: > Sep 24 15:42:43 shore kernel: Shorewall:FORWARD:DROP:IN=eth0 > OUT=eth1 SRC=192.168.10.195 DST=192.168.12.8 LEN=92 TOS=0x00 > PREC=0x00 TTL=1 ID=11780 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=9216 >Yes -- to start with, it appears that 192.168.12.0/24 isn''t in any zone that you have defined (see the first bullet under "Other Gotchas" on the Troubleshooting page). I would make it its own zone associated with eth1 (so eth1 is a multi-zone interface) then you can have a policy of ACCEPT between the new zone and your local one. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep schrieb:> > As stated in several places in the Shorewall documentation, for IPSEC you > must allow UDP port 500 and protocol 50 (and protocol 51 if you aren''t > using any form of NAT) between the VPN gateways. You don''t say how you > manage your DMZ (Proxy ARP, NAT, Masquerade, Routed) so I can''t give you > the exact rules but you might find http://www.shorewall.net/VPN.htm helpful. >Ok, i changed the rules mentioned there so they fit our older version used here. Another stupid question remains: The box doing the VPN gateway works; now shall packets for 192.168.12.x be routed there, so they can be passed through the tunnel. 192.168.12.x is the LAN on the other side of the tunnel. I did set up a static route on the shorewall box to send it to the gateway on our side but the packets get dropped by shorewall: Sep 24 15:42:43 shore kernel: Shorewall:FORWARD:DROP:IN=eth0 OUT=eth1 SRC=192.168.10.195 DST=192.168.12.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=11780 PROTO=ICMP TYPE=8 CODE=0 ID=256 SEQ=9216 Or am i missing something else? Thanks, Christian
Tom Eastep wrote:> > Yes -- to start with, it appears that 192.168.12.0/24 isn''t in any zone > that you have defined (see the first bullet under "Other Gotchas" on the > Troubleshooting page). I would make it its own zone associated with eth1 > (so eth1 is a multi-zone interface) then you can have a policy of ACCEPT > between the new zone and your local one. >And that ACCEPT policy would presumably apply in both directions... -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net