Not currently on the list. Please CC: me on replies. I spent some time online and reading the manual etc. If there is a document that deals with this already, feel free to tell me to read the docs I have a RedHat box is acting as a dialup box. (A single NIC card) I provide dialup access to the e-mail server when I have users on the road. They dial into the box which acts as a PPP server. The box assigns an IP address to the dialup user and routes their traffic to the e-mail server. This box is protected by ShoreWall and also controls what the dialup user has access to on the internet etc. (This is the only machine in the equation running ShoreWall) This box is sitting in a SonicWall DMZ. I have a laptop running the SonicWall VPN Global Client software. I am able to connect through a local ISP from the laptop and establish a VPN connection with the SonicWall and can log into the LAN successfully over the VPN so I am assuming the SonicWall and the laptop are configured correctly. (This picture totally bypasses the RedHat ShoreWall box) When I dial the RedHat box mentioned above however, I am able to "establish" the VPN connection from the laptop to the SonicWall by Configuring ShoreWall on the DialupBox to allow UDP traffic from the dialup user to the net:SonicWall IP The problem is however, that even though the LapTop shows an established VPN connection, I am unable to communicate with the machines on the LAN when dilaing into the RedHat box running Shorewall. The logs on the machine running Shorewall fill up with notices about blocking PROT=ESP> Jul 22 16:12:09 DialupSrv kernel: Shorewall:dial2all:DROP:IN=ppp0 OUT=ETH0 > SRC=x.x.x.x DST=x.x.x.x LEN=384 TOS=0x00 PREC=0x00 TTL=127 > ID=3 PROTO=ESP SPI=0x66c78e16>From what I can tell from my reading online this is related to IPSEC VPN''s >From what I found online I need to create an entry in the/etc/shorewall/tunnel file and create a zone called VPN etc but I got confused since the examples seemed to have more then one NIC and were acting as the VPN gateway. I am just looking to create a rule to allow the traffic between the dialup user and the VPN gateway through the dialup server running a shorewall firewall. My Interfaces file net eth0 detect routefilter dial ppp+ No Hosts file Any help pointing me in the right direction would be great. Thanks, Nathan
Nathan Gehman wrote:> Not currently on the list. Please CC: me on replies. > > I spent some time online and reading the manual etc. If there is a document > that deals with this already, feel free to tell me to read the docs… > > I have a RedHat box is acting as a dialup box. (A single NIC card) I provide > dialup access to the e-mail server when I have users on the road. They dial > into the box which acts as a PPP server. The box assigns an IP address to > the dialup user and routes their traffic to the e-mail server. This box > is protected by ShoreWall and also controls what the dialup user has access > to on the internet etc. (This is the only machine in the equation running > ShoreWall) > > This box is sitting in a SonicWall DMZ. > I have a laptop running the SonicWall VPN Global Client software. > > I am able to connect through a local ISP from the laptop and establish a VPN > connection with the SonicWall and can log into the LAN successfully over the > VPN so I am assuming the SonicWall and the laptop are configured correctly. > (This picture totally bypasses the RedHat ShoreWall box) > > When I dial the RedHat box mentioned above however, I am able to "establish" > the VPN connection from the laptop to the SonicWall by Configuring ShoreWall > on the DialupBox to allow UDP traffic from the dialup user to the > net:SonicWall IP > > The problem is however, that even though the LapTop shows an established VPN > connection, I am unable to communicate with the machines on the LAN when > dilaing into the RedHat box running Shorewall. The logs on the machine > running Shorewall fill up with notices about blocking PROT=ESP > > >>Jul 22 16:12:09 DialupSrv kernel: Shorewall:dial2all:DROP:IN=ppp0 OUT=ETH0 >>SRC=x.x.x.x DST=x.x.x.x LEN=384 TOS=0x00 PREC=0x00 TTL=127 >>ID=3 PROTO=ESP SPI=0x66c78e16 > > >>From what I can tell from my reading online this is related to IPSEC VPN''s >>From what I found online I need to create an entry in the > /etc/shorewall/tunnel file and create a zone called VPNNo -- the /etc/shorewall/tunnels file is *only* used for tunnels that terminate on the firewall. Your tunnel terminates on the Sonicwall. etc but I got> confused since the examples seemed to have more then one NIC and were acting > as the VPN gateway. I am just looking to create a rule to allow the traffic > between the dialup user and the VPN gateway through the dialup server > running a shorewall firewall. > > My Interfaces file > > net eth0 detect routefilter > dial ppp+ >You need to allow IPSEC traffic between the dial zone and the VPN server: ACCEPT dial net:<vpn server ip> udp 500 ACCEPT dial net:<vpn server ip> 50 ACCEPT dial net:<vpn server ip> 51 ACCEPT net:<vpn server ip> dial udp 500 ACCEPT net:<vpn server ip> dial 50 ACCEPT net:<vpn server ip> dial 51 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net