Hello, We have a VPN setup between two networks located in different cities. One side is a Customer''s colocated equipment (which we are managing) in Vancouver, Canada and the other side is the Customer''s office in Victoria, Canada.. On our side (the colocated equipment), I am wanting to run Shorewall, but have run into a couple of issues related to the VPN failing when Shorewall is running. I have been playing with the config, and readng the VPN docs on the site, but before trying to re-implement, I had a question or two: 1. Do both sides of the VPN have to be running Shorewall? I would think "no", but the VPN docs talk about the Shorewall configuration on both sides of the VPN. Assuming the answer is "no", I will do another post with my configuration information, so hopefully someone will be able to point me int he direction of what is wrong. 2. This question has more to do with masquerading. The mechanics are not shorewall-related, but it''s really more of a question on how to convert the IPTables rule into a Shorewall rule. Essentially, they do not want VPN/ipsec traffic destined for Victoria to be masqueraded, which apparently it currently is. They sent me the following snippet from the Freeswan site: --- CUT HERE --- Do not MASQ or NAT packets to be tunneled If you are masquerading or NATting packets on either gateway, you must now exempt the packets you wish to tunnel from this treatment. If you have a rule like: iptables -A FORWARD -s 42.42.42.0/255.255.255.0 -j MASQ change it to something like: iptables -A FORWARD -s 42.42.42.0/255.255.255.0 -d ! 42.42.42.1/255.255.255.0 -j MASQ This may be necessary on both gateways. http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/config.html --- CUT HERE --- If there is documentation on how to do this within Shorewall, then I would appreciate it if you could point me in that direction, or any other pointers. TIA, Alan Murrell <silkbc@yahoo.com> ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca
On Wed, 10 Dec 2003, Alan Murrell wrote:> > 1. Do both sides of the VPN have to be running > Shorewall?No.> 2. This question has more to do with masquerading. > The mechanics are not shorewall-related, but it''s > really more of a question on how to convert the > IPTables rule into a Shorewall rule. > > Essentially, they do not want VPN/ipsec traffic > destined for Victoria to be masqueraded, which > apparently it currently is.Are they currently running Shorewall is this just a theoretical question? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
On Wed, 10 Dec 2003, Tom Eastep wrote:> > Are they currently running Shorewall is this just a theoretical question? >Should be "... Shorewall *or* is this ..." -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hello,> > Essentially, they do not want VPN/ipsec traffic > > destined for Victoria to be masqueraded, which > > apparently it currently is. > > Are they currently running Shorewall is this just a > theoretical question?Well, the VPN is currently setup and running (Freeswan/ipsec). However, previously, when Shorewall was brought up, the VPN connection was lost. This was likely a mis-configuration on my part, which I think I may have sorted out (if not, I''ll post under a seperate thread) Well, the Customer''s side (Victoria) is not running Shorewall; they are just running a regular IPTables script. The colocation side (Vancouver) is not currently running Shorewall, due to the aforementioned problems, but we would like it to be. However, as I mentioned, the VPN is definately working. The Customer just doesn''t want ipsec traffic to their side of the VPN to be masqueraded. I suppose since Shorewall currently isn''t running, I could in the meantime just run that one IPTables rule, and it should work, but I was hoping to get it converted to Shorewall format. HTH? Alan Murrell <silkbc@yahoo.com> ______________________________________________________________________ Post your free ad now! http://personals.yahoo.ca