Alessandro Polverini
2004-Jan-15 15:07 UTC
Re: [Fwd: Re: shorewall, freeswan and kernel crypto-api]
On Thu, 2004-01-15 at 15:51, Holger Brueckner wrote: [...]> > you do know that if you connect two lans via two vpn gateways that the > > vpn gateways themself cant connect to the other lans ? you either need a > > second point to point tunnel for that or use some iproute2 routing > > tweaks. you can find more information in the freeswan documentation.Yes, I know, and so I built freeswan connections/tunnels exactly for this purpose. Also, as I stated in the mail, everything works fine after a "shorewall clear", so the problem must reside on the way shorewall is configured. Thanks, Alex> > On Thu, 2004-01-15 at 15:39, Alessandro Polverini wrote: > > > Hello, > > > I''ve finally managed to setup a firewall with freeswan 2.04 using the > > > kernel crypto api (backported from kernel 2.6). > > > > > > (Almost) everything seems to work fine if I disable shorewall, but > > > packets are filtered whe shorewall is active. > > > > > > I''ve already read a past thread on the subject and I followed all the > > > hints and it actually partially works: my lan I can access the remote > > > lan and viceversa, but I''m unable to connect the remote lan _from_ the > > > firewall itself. > > > > > > So there I go, here are my settings on my ipsec firewall: > > > > > > public ip: a.b.c.d/20 > > > internal lan: 10.123.123.0/24 > > > internal ip: 10.123.123.100 > > > > > > remote ip: x.y.z.k > > > remote lan: 10.0.0.0/19 > > > > > > zones: > > > vpn VPN Freeswan VPN > > > net Net Internet > > > loc Local Local networks > > > > > > interfaces: > > > loc eth0 detect > > > - eth1 detect > > > > > > hosts: > > > vpn eth1:10.0.0.0/19 > > > net eth1:0.0.0.0/0 > > > > > > tunnels: > > > ipsec net x.y.z.k vpn > > > > > > policy: > > > fw all ACCEPT > > > vpn all ACCEPT > > > loc all ACCEPT > > > net all DROP info > > > all all REJECT info > > > > > > masq: > > > eth1:!10.0.0.0/19 10.123.123.0/24 > > > > > > So, what happens is, without the firewall, everything works fine. > > > But with shorewall on: > > > - ping works from everywhere to everywhere correctly > > > - my local lan can connect to remote lan correctly > > > - the firewall can ping remote lan but is unable to ssh on machine on > > > that lan > > > > > > I really need the help of some expert here :) > > > > > > May I provide some other useful information? > > > > > > Thanks for the help, > > > Alex > > > P.S.: I''m not subscribed to the list, please CC me if you reply, thanks > > > > > > _______________________________________________ > > > Shorewall-users mailing list > > > Post: Shorewall-users@lists.shorewall.net > > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > > Support: http://www.shorewall.net/support.htm > > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm