Shorewall users - Jun 2003 - 2 zones for 2 ipsec interfaces

Hello,

I found curious thing.
I''m using shorwall-1.4.1 and freeswan-2.00pre8 on the firewall
with 3 interfaces. I have defined two IPSec tunnels for two networks
in Internet to the local network. They are ended on the same external
network card (eth0) of the firewall.
Both tunneled networks have different access policy - so I had following
idea:
 - I will create 2 virtual IP interfaces on the eth0 (eth0:1 and eth0:2)
 - I will create 2 ipsec interfaces (ipsec0 and ipsec1) on the eth0:1 and
   eth0:2
 - I will connect first external network0 to ipsec0 and
   second external network1 to ipsec1
 - I will create 2 shorewall zones (gw0 and gw1) for ipsec0 and ipsec1
 - I will create different shorewall rules for zones gw0 and gw1

Maybe nice, but it doesn''t work ;-)

- network0 is connected to ipsec0 and all works fine.
  Shorewall assignes data of this tunnel to gw0 zone. That''s ok.
- network1 is connected to ipsec1 and tunnel is working fine too.
  But Shorewall assignes data of this tunnel to gw0 zone
  (instead of gw1) and so this tunnel is managed with wrong policy.

I tried to remove ipsec0 definition from the FreeS/WAN config file and
Shorewall assigned all trafic of the network1 to gw1 zone correctly.

I''m not shure, where the problem is. Maybe some my fault? Maybe
ipsec0 and ipsec1 can not use same physical interface? Or something
in Shorewall?

I can use one zone for both ipsec tunnels and manage access policy
according to source IP adresses (it works fine), but my previous
idea looks better ;-)

 Thank you for your opinion.

 Reagrds,

       Milos Wimmer

On Thu, 2003-06-26 at 04:32, Milos Wimmer wrote:
>  Hello,
> 
> I found curious thing.
> I''m using shorwall-1.4.1 and freeswan-2.00pre8 on the firewall
> with 3 interfaces. I have defined two IPSec tunnels for two networks
> in Internet to the local network. They are ended on the same external
> network card (eth0) of the firewall.
> Both tunneled networks have different access policy - so I had following
> idea:
>  - I will create 2 virtual IP interfaces on the eth0 (eth0:1 and eth0:2)
>  - I will create 2 ipsec interfaces (ipsec0 and ipsec1) on the eth0:1 and
>    eth0:2
>  - I will connect first external network0 to ipsec0 and
>    second external network1 to ipsec1
>  - I will create 2 shorewall zones (gw0 and gw1) for ipsec0 and ipsec1
>  - I will create different shorewall rules for zones gw0 and gw1
> 
> Maybe nice, but it doesn''t work ;-)
> 
> - network0 is connected to ipsec0 and all works fine.
>   Shorewall assignes data of this tunnel to gw0 zone. That''s ok.
> - network1 is connected to ipsec1 and tunnel is working fine too.
>   But Shorewall assignes data of this tunnel to gw0 zone
>   (instead of gw1) and so this tunnel is managed with wrong policy.
> 
> I tried to remove ipsec0 definition from the FreeS/WAN config file and
> Shorewall assigned all trafic of the network1 to gw1 zone correctly.
> 
> I''m not shure, where the problem is. Maybe some my fault? Maybe
> ipsec0 and ipsec1 can not use same physical interface?
I suspect that''s the problem -- remember that "virtual IP
interfaces"
are creations of the old net-tools and it is only those old tools that
try to deal with them as interfaces
(see://http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html).

> Or something in Shorewall?
> I can use one zone for both ipsec tunnels and manage access policy
> according to source IP adresses (it works fine), but my previous
> idea looks better ;-)
> 
But using the source address works -- your idea doesn''t. What more is
there to be said?

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net