Hello, Is it easily possible to use a HW VPN device behind a Shorewall firewall? What I want is to run shorewall on a server with 2 or 3 NICs. Connect a hardware VPN device on the local NIC and from the internet forward the needed ports to the VPN device. On the shorewall site I only find info on FreeSwan and not HW devices. Anybody got experience with a situation like this? Peter Lindeman
On Thu, 2004-04-29 at 10:16 +0200, Peter Lindeman wrote:> Hello, > > Is it easily possible to use a HW VPN device behind a Shorewall > firewall? What I want is to run shorewall on a server with 2 or 3 NICs. > Connect a hardware VPN device on the local NIC and from the internet > forward the needed ports to the VPN device. On the shorewall site I only > find info on FreeSwan and not HW devices. > > Anybody got experience with a situation like this? > > Peter LindemanAll the should be necessary would be to configure Shorewall to send the appropriate traffic to the HW VPN device. If you are using PPTP, you''ll need GRE and 1723/tcp, if you are using IPSEC, you''ll need to send 500/udp and IP protocols 50 and 51. For best results, you will want the HW VPN device to actually have an external IP, not be behind NAT. PPTP would probably work behind NAT, but IPSEC is not a big fan. -- David T Hollis <dhollis@davehollis.com>
David T Hollis wrote:>>Is it easily possible to use a HW VPN device behind a Shorewall >>firewall? What I want is to run shorewall on a server with 2 or 3 NICs. >>Connect a hardware VPN device on the local NIC and from the internet >>forward the needed ports to the VPN device. On the shorewall site I only >>find info on FreeSwan and not HW devices. >> >>Anybody got experience with a situation like this? >> >>Peter Lindeman > > All the should be necessary would be to configure Shorewall to send the > appropriate traffic to the HW VPN device. If you are using PPTP, you''ll > need GRE and 1723/tcp, if you are using IPSEC, you''ll need to send > 500/udp and IP protocols 50 and 51. For best results, you will want the > HW VPN device to actually have an external IP, not be behind NAT. PPTP > would probably work behind NAT, but IPSEC is not a big fan.So, the best and easiest solution is : hw VPN device -- Linux Shorewall -- Local Lan Or is this a strange/ not working option? The possibility''s of port forwarding etc. is much more powerfull in Shorewall then in an average VPN router that is the main reason I want Shorewall in between. Peter
Am Don, den 29.04.2004 um 14:47 Uhr +0200 schrieb Peter Lindeman:> David T Hollis wrote: > > >>Is it easily possible to use a HW VPN device behind a Shorewall > >>firewall? What I want is to run shorewall on a server with 2 or 3 NICs. > >>Connect a hardware VPN device on the local NIC and from the internet > >>forward the needed ports to the VPN device. On the shorewall site I only > >>find info on FreeSwan and not HW devices. > >> > >>Anybody got experience with a situation like this? > >> > >>Peter Lindeman > > > > All the should be necessary would be to configure Shorewall to send the > > appropriate traffic to the HW VPN device. If you are using PPTP, you''ll > > need GRE and 1723/tcp, if you are using IPSEC, you''ll need to send > > 500/udp and IP protocols 50 and 51. For best results, you will want the > > HW VPN device to actually have an external IP, not be behind NAT. PPTP > > would probably work behind NAT, but IPSEC is not a big fan. > > So, the best and easiest solution is : > > hw VPN device -- Linux Shorewall -- Local Lan > > Or is this a strange/ not working option? The possibility''s of port > forwarding etc. is much more powerfull in Shorewall then in an average > VPN router that is the main reason I want Shorewall in between. > > Peter >If you are not depending on vpn solutions from microsoft (pptp,ipsec) I can recommend tin (tinc-vpn.org) which runs perfect ON the shorewall machine as a tunnel endpoint for static vpn''s sa well as for roadwarriors using linux or windows version of tinc. Tinc passes NAT as well very easily and I am about to write a shorewall howto for using tinc as vpn solution. Andy -- NDEE <ndee@anyweb.at>