Have just migrated my RedHat 8.0 box to a RHEL rebuild and it works :) The only thing is that even though RedHat EL is using 2.4 kernels they have backported the ipsec stuff from kernel 2.6 therefore all kernel 2.6 stuff applies to RHEL too (could be a useful for the FAQ too). The rebuild I am using is TaoLinux.org for those interested :) Now I am trying to migrate the VPN connection too. I could not get freeswan to compile on RHEL and from the openswan project I learned that the only requirement when running RHEL is to install the userland utilities, the rest is there already. I found and read the article about IPSEC and kernel 2.6: http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html but still have some questions. My setup is Local private network : eth0 10.1.0.0./16 Public interface : eth1 Remote VPN net : 10.50.0.0/16 I used to masq all traffic from the local net to the internet with a line in /etc/shorewall/masq eth1 eth0 According to the post a line must be put in place to prevent masqing of the vpn tunnel traffic. Should I replace my current masq line completely with this: eth1:!10.50.0.0/16 10.1.0.0/16 or is this an additional rule to be added before/after the original line? Furthermore the article states that this configuration is for a single tunnel. Does this mean that multiple tunnel setups are not possible? Thanks for any input!
Remco Barendse wrote:> > I used to masq all traffic from the local net to the internet with a line > in /etc/shorewall/masq > eth1 eth0 > > According to the post a line must be put in place to prevent masqing of > the vpn tunnel traffic. Should I replace my current masq line completely > with this: > eth1:!10.50.0.0/16 10.1.0.0/16 > or is this an additional rule to be added before/after the original line?It should replace the original line.> > Furthermore the article states that this configuration is for a single > tunnel. Does this mean that multiple tunnel setups are not possible? >It *might* be possible using Shorewall 1.4.10 and later. As far as I''m concerned, IPSEC + Netfilter is broken in the current 2.6 kernels and I''m not touching it until the patches to fix it are available from kernel.org. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>> > > It *might* be possible using Shorewall 1.4.10 and later. > > As far as I''m concerned, IPSEC + Netfilter is broken in the current 2.6 > kernels and I''m not touching it until the patches to fix it are > available from kernel.org. >Is there anywhere a discussion going on concerning ipsec as it is realised in 2.6 ? Is anyone working to reimplement an interface for ipsec like it was in 2.4 Series ? -- __________________________________________________ Ralf Schenk fon (02 41) 9 91 21-0 fax (02 41) 9 91 21-59 rs@databay.de Databay AG Hüttenstraße 7 D-52068 Aachen www.databay.de Databay - einfach machen. _________________________________________________
Ralf Schenk wrote:>>> >> >> It *might* be possible using Shorewall 1.4.10 and later. >> >> As far as I''m concerned, IPSEC + Netfilter is broken in the current >> 2.6 kernels and I''m not touching it until the patches to fix it are >> available from kernel.org. >> > > Is there anywhere a discussion going on concerning ipsec as it is > realised in 2.6 ? >See both the netfilter users list and the netfilter development list.> Is anyone working to reimplement an interface for ipsec like it was in > 2.4 Series ? >There will *never* be such an interface as near as I can tell. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
I have thoroughly read the PPTP.htm page, and I actually have a tunnel up and running, but I have a question that was not answered in what I could find. The doc show the rules necessary for a PPTP server running behind the firewall, but it doesn''t show what is needed for running a PPTP server on the firewall. What I have working was done with only one added rule: ACCEPT net fw tcp pptp but I am wondering if I also need: ACCEPT net fw 47 Thanks, Tom for a great package. --Richard ---------- Richard Pyne rpyne@shopsite.com Software Engineer ShopSite, Inc http://www.ShopSite.com
Richard Pyne wrote:> I have thoroughly read the PPTP.htm page, and I actually have a tunnel > up and running, but I have a question that was not answered in what I > could find. > > The doc show the rules necessary for a PPTP server running behind the > firewall, but it doesn''t show what is needed for running a PPTP server > on the firewall. >Er -- http://shorewall.net/PPTP.htm#ServerFW -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Richard Pyne wrote:> PPTP Server Running on your Firewall > Configuring Shorewall > Basic Setup > Table 1. /etc/shorewall/tunnels > Table 2. /etc/shorewall/interfaces > Remote Users in a Separate Zone > Table 3. /etc/shorewall/tunnels > Table 4. /etc/shorewall/zones > Table 5. /etc/shorewall/interfaces > Your policies and rules may now be configured for traffic to/from the vpn zone. > Multiple Remote Networks > ...If you add the correct entry in /etc/shorewall/tunnels, there is no need for additional rules. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tom Eastep wrote: | There will *never* be such an interface as near as I can tell. That''s not completely true. I think you are right about 26sec IPsec interface but FreeS/WAN 2.06 has klips (FreeS/WAN kernel IPsec) ported to 2.6 kernel. And as stated on Openswan roadmap: <http://www.openswan.org/development/roadmap.php> there is plans to port those changes to Openswan 2.3.0 (whenever it''s ready). - -- Tuomo Soini <tis@foobar.fi> Linux and network services +358 40 5240030 Foobar Oy <http://foobar.fi/> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAuLqSTlrZKzwul1ERAiG4AJ0YniZkw/CASmWiRV7DBkgfIAR3VACgo5Zp g/1U10P9tmTCJUD76OX6bVs=HMHl -----END PGP SIGNATURE-----
Tuomo Soini wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Tom Eastep wrote: > | There will *never* be such an interface as near as I can tell. > > That''s not completely true. I think you are right about 26sec IPsec > interface but FreeS/WAN 2.06 has klips (FreeS/WAN kernel IPsec) ported > to 2.6 kernel. > > And as stated on Openswan roadmap: > <http://www.openswan.org/development/roadmap.php> > there is plans to port those changes to Openswan 2.3.0 (whenever it''s > ready).Thanks for the information -- I stand corrected. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net