>sample setups of freeswan working with shorewall?
I just implemented this a few days ago. In my case it was the simple
scenario of two private subnets (with different private network numbers!)
already equipped with Shorewall firewalls on which I added Freeswan. The
hardest part was being patient enough for the other end''s firewall (a
486)
to compile the patched kernel. I basically followed the example in the
Shorewall doc:
http://www.shorewall.net/IPSEC.htm
and the referenced IPSEC info at:
http://jixen.tripod.com/
I used
kernel: 2.4.17
freeswan: 1.94
shorewall: 1.2.0
My shorewall config was taken directly from Tom''s example at the URL
above.
Some random points though:
- I seem to recall earlier versions of the IPSEC.htm document had a
typo''d
address in them.
- I had commented out the Gateway zone in my /etc/shorewall/zones since I
wasn''t previously using it. Things worked a lot better when I put it
back
in. ;)
- To avoid changing/testing two things at once, I temporarily changed both
ends Shorewall policy to "all all ACCEPT" just to make certain
Shorewall
wouldn''t get in the way. After I knew the IPSEC tunnel was working, I
changed the policy back to something sane.
- Don''t forget that in your Policy and Rules you now have a new zone
''gw''
to consider.
My IPSEC config was only slightly altered from the example at the URL above.
- I left ''interfaces=3D%defaultroute'' so I could use the same
file on both
ends
- When the Freeswan installation created the RSA key pairs for me, the
public key was NOT in hex. Therefore, I dropped the leading
''0x'' shown in
the jixen.tripod.com example.
- [left|right]nexthop is the respective machine''s default gateway.
Freeswan
needs this to set up routing correctly
I hope this helps,
dvt
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
