Hello. I have running freeswan ipsec with shorewall and I modify the ipsec _updown script to add the corresponding forwarding rules between the subnets as follows: up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -I FORWARD 1 -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -s $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -d PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT iptables -D FORWARD -d $PLUTO_MY_CLIENT_NET/$PLUTO_MY_CLIENT_MASK -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -j ACCEPT ;; Now, everything is working just fine but when I restart shorewall I obviously lost this forwards between the subnets... Is there a way to recreate this rules when shorewall restarts? -- EOM Saludos/Regards, Jorge Molina. Buenos Aires - Argentina (GMT-3).
On Thu, 8 May 2003 15:25:26 -0300, Jorge Molina <shorewall- users@itso.com.ar> wrote:> Hello. > > I have running freeswan ipsec with shorewall and I modify the ipsec > _updown script to add the corresponding forwarding rules between the > subnets as follows:<commands deleted>> > Now, everything is working just fine but when I restart shorewall I > obviously lost this forwards between the subnets... Is there a way to > recreate this rules when shorewall restarts? >Firewall rules for IPSEC should be defined using Shorewall mechanisms as described at http://www.shorewall.net/IPSEC.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep <teastep@shorewall.net> wrote on 08/05/2003 15:46:33:> > I have running freeswan ipsec with shorewall and I modify the ipsec > > _updown script to add the corresponding forwarding rules between the > > subnets as follows: > > <commands deleted> > > > > > Now, everything is working just fine but when I restart shorewall I > > obviously lost this forwards between the subnets... Is there a way to > > recreate this rules when shorewall restarts? > > > > Firewall rules for IPSEC should be defined using Shorewall mechanisms as> described at http://www.shorewall.net/IPSEC.htm.I did follow the guide and it works, quite complicated, but it was a matter of time. Now I am facing a new deal, because I got a REJECT with every ping I sent from the road warrior LOC to the gateway LOC. I already add the policies as follows: vpn1 loc ACCEPT loc vpn1 ACCEPT and also, I issue the shorewall add ipsec0:[road_warrior_subnet] vpn1 I am missing something? -- EOM Saludos/Regards, Jorge Molina. Buenos Aires - Argentina (GMT-3).
On Thu, 8 May 2003 17:53:18 -0300, Jorge Molina <shorewall- users@itso.com.ar> wrote:> > Now I am facing a new deal, because I got a REJECT with every ping I sent > from the road warrior LOC to the gateway LOC.What kind of tunnel are you setting up? If it is a host-to-subnet tunnel, you won''t be able to communicate between the firewall and the road-warrior.> I already add the policies as follows: > vpn1 loc ACCEPT > loc vpn1 ACCEPT > > and also, I issue the shorewall add ipsec0:[road_warrior_subnet] vpn1Isn''t the road_warrior a single IP address. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep <teastep@shorewall.net> wrote on 08/05/2003 20:13:53:> > Now I am facing a new deal, because I got a REJECT with every ping Isent> > from the road warrior LOC to the gateway LOC. > > What kind of tunnel are you setting up? If it is a host-to-subnettunnel,> you won''t be able to communicate between the firewall and theroad-warrior. I know that, I cannot ping between the gateways, but my ping tests are between the subnets only. It is a subnet-to-subnet, the left side is dynamic, so it is the only wich initiate the connection.> > I already add the policies as follows: > > vpn1 loc ACCEPT > > loc vpn1 ACCEPT > > > > and also, I issue the shorewall add ipsec0:[road_warrior_subnet] vpn1 > > Isn''t the road_warrior a single IP address.Well... I am using the left subnet there... maybe I''m wrong, but how can I define the forward rules between the subnets with shorewall? I did what you point before, but I cannot ping between the subnets.
On Thu, 8 May 2003 20:57:44 -0300, Jorge Molina <shorewall- users@itso.com.ar> wrote:> > Well... I am using the left subnet there... maybe I''m wrong, but how can > I define the forward rules between the subnets with shorewall? I did what > you point before, but I cannot ping between the subnets. >You''re going to have to post some details if you want more help. See http://www.shorewall.net/support.htm. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep <teastep@shorewall.net> wrote on 09/05/2003 00:09:05:> > Well... I am using the left subnet there... maybe I''m wrong, but howcan> > I define the forward rules between the subnets with shorewall? I didwhat> > you point before, but I cannot ping between the subnets. > > > > You''re going to have to post some details if you want more help. See > http://www.shorewall.net/support.htm.Yes, you''re right, Tom. I''m trying to figure it out how shorewall create the forwarding rules between the VPN zones. I''ll send you all the information I have tomorrow. Thank you. -- EOM Saludos/Regards, Jorge Molina. Buenos Aires - Argentina (GMT-3).