Shorewall users - Mar 2003 - Vpn trouble

Yeah Tom,
    See what you mean, I will start over.
I set up a openvpn on my network and tested for a coulple of weeks everything
seemed to work fine with openvn (using two shorewall boxes on the net). But I
have a small network with nothing but widows box on the internal lan anyway
I then took one of the shorewall boxes and moved it to the network it will
reside in which has 70 windows boxes two win2k servers, one winnt server.
one sco unix box, Lexmark T620n''s and many printers. I then reset
everything to connect from my network to the office simulating what I need to do
when this is finished. I can ping only part of the large network and only
workstations, no printers or servers (excluding shorewall) I can ping shorewalls
internal ip from
a remote machine on the remote lan. I first thought it was a routing issue, but
I cannot ping the Lexmark printers from the remote lan that are lower than
10.19.227.128
    So I went to the office today since there are a lot of switches involves I
moved the ntserver and one printer on the same switch that the shorewall box is
on
Same troubleI (I thought maybe one of the Cisco mananged switches were blocking
it and moved

    I then set up a gre/ipip tunnel. All this and I still have the same problem
as I did with the openvpn, so I really don''t get it yet.
I am usinging rh7.2 shorewall stuff is attached.

Thanks, 

Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: static-office.zip
Type: application/x-zip-compressed
Size: 697 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030323/33482982/static-office-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: officeshwall.zip
Type: application/x-zip-compressed
Size: 30350 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030323/33482982/officeshwall-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: remoteshwall.zip
Type: application/x-zip-compressed
Size: 29877 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030323/33482982/remoteshwall-0001.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: statichome.zip
Type: application/x-zip-compressed
Size: 688 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030323/33482982/statichome-0001.bin

Tom,    
    This may be the answer, since the two boxes I want access to are not under
my control
If their default gateways are something other than 10.19.227.20 (shorewall eth1)
could that be the trouble???
If so is there a away around it?

Mike

On Tue, 25 Mar 2003, Mike wrote:
> This may be the answer, since the two boxes I want access to are not
> under my control. If their default gateways are something other than
> 10.19.227.20 (shorewall eth1) could that be the trouble???
Of course.
> If so is there a away around it?
You can use SNAT on the office Shorewall box. In /etc/shorewall/masq:

eth1:<ip address of first misconfiged box>   192.168.1.0/24   10.19.227.20
eth1:<ip address of second misconfiged box>  192.168.1.0/24   10.19.227.20
...

If you also want to be able to access these boxes from your home gateway, 
you will need:

eth1:<ip address of first misconfiged box>   172.16.0.x   10.19.227.20
eth1:<ip address of second misconfiged box>  172.16.0.x   10.19.227.20

Where ''x'' is the last digit of the tunnel IP on the home
gateway.

Warning: As far as the "misconfiged boxes" are concerned, all
connections
from your home network will appear to come from 10.19.227.20.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom,
    I have contacted sysadmin on the 10.19.227.194 they changed the gate on
the most important
Box I need (sco) and it replys now, Thank you for your help, I could not see
the forest for the trees.
How simple the fix was. I was thinking I was in the lan when really it has
to go out the gateway
and overlooked boxes not under my control.
    I will try the snat for Gm. I have many hours just to get to this point
Thank you times 100
Mike
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Mike" <landers@lanlinecomputers.com>
Cc: <shorewall-users@lists.shorewall.net>
Sent: Tuesday, March 25, 2003 8:46 AM
Subject: Re: [Shorewall-users] VPN trouble

> On Tue, 25 Mar 2003, Mike wrote:
>
> > This may be the answer, since the two boxes I want access to are not
> > under my control. If their default gateways are something other than
> > 10.19.227.20 (shorewall eth1) could that be the trouble???
>
> Of course.
>
> > If so is there a away around it?
>
> You can use SNAT on the office Shorewall box. In /etc/shorewall/masq:
>
> eth1:<ip address of first misconfiged box>   192.168.1.0/24  
10.19.227.20
> eth1:<ip address of second misconfiged box>  192.168.1.0/24  
10.19.227.20
> ...
>
> If you also want to be able to access these boxes from your home gateway,
> you will need:
>
> eth1:<ip address of first misconfiged box>   172.16.0.x  
10.19.227.20
> eth1:<ip address of second misconfiged box>  172.16.0.x  
10.19.227.20
>
> Where ''x'' is the last digit of the tunnel IP on the home
gateway.
>
> Warning: As far as the "misconfiged boxes" are concerned, all
connections
> from your home network will appear to come from 10.19.227.20.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

On Tue, 25 Mar 2003, Mike wrote:
> Tom,
>     I have contacted sysadmin on the 10.19.227.194 they changed the gate on
> the most important
> Box I need (sco) and it replys now, Thank you for your help, I could not
see
> the forest for the trees.
> How simple the fix was. I was thinking I was in the lan when really it has
> to go out the gateway
> and overlooked boxes not under my control.
Mike -- you aren''t the first person to get all tied up looking at
request
packets and to overlook what happens to the replies. I''ve done it 
myself :-)

-Tomm
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I have the below rules in my old 1.3.9 system, but 1.4 doesnt like them, and
i am not sure which docs that outlines this change?

ACCEPT          net                                     loc:192.168.0.130
tcp     62121   -       all
ACCEPT          net                                     loc:192.168.0.130
tcp     36200:36300     -       all

Error: Only DNAT and REDIRECT rules may specify port mapping; rule "ACCEPT
net:203.30.46.0/24,203.15.140.0/24 loc:192.168.0.130 tcp 21 - all"

Now, am i correct in understanding that apart from changing ACCEPT -> DNAT
nothign else needs to be changed?

On Tue, 25 Mar 2003, j2 wrote:
> I have the below rules in my old 1.3.9 system, but 1.4 doesnt like them,
and
> i am not sure which docs that outlines this change?
Those rules are Shorewall-1.2 format port forwarding rules. 
> 
> ACCEPT          net                                     loc:192.168.0.130
> tcp     62121   -       all
> ACCEPT          net                                     loc:192.168.0.130
> tcp     36200:36300     -       all
> 
> Error: Only DNAT and REDIRECT rules may specify port mapping; rule
"ACCEPT
> net:203.30.46.0/24,203.15.140.0/24 loc:192.168.0.130 tcp 21 - all"
> 
> Now, am i correct in understanding that apart from changing ACCEPT ->
DNAT
> nothign else needs to be changed?
The equivalent 1.3/1.4 rules are:

DNAT	net	loc:192.168.0.130	tcp	62121
DNAT	net	loc:192.168.0.130	tcp	36300:36300

The keyword DNAT superceded the need for the obscure use of "all" in
the
last column to denote a port forwarding rule.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

> Those rules are Shorewall-1.2 format port forwarding rules. 
	Speaking of port forwarding, any hope of integrating Shorewall
with LVS?

http://www.linuxvirtualserver.org/

	The rules, applications, and format of ''iptables'' and
''ipvsadm''
are very similar.  LVS is (at its core) port forwarding plus a
scheduler.


--Derek

On Tue, 25 Mar 2003, Derek Simkowiak wrote:
> > Those rules are Shorewall-1.2 format port forwarding rules. 
> 
> 	Speaking of port forwarding, any hope of integrating Shorewall
> with LVS?
>
Patches cheerfully accepted...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Quoting Tom Eastep <teastep@shorewall.net>:
> Those rules are Shorewall-1.2 format port forwarding rules. 
So in other words i didnt convert all my rules when i went 1.2 -> 1.3  Well, 
that explains it.
> The keyword DNAT superceded the need for the obscure use of "all"
in the
> last column to denote a port forwarding rule.
Thankyou, that quote made it all extremely clear.


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/