aslay@pds-malaysia.com wrote:> Hi, > > I try to build site to site vpn using freeswan and shorewall. > Site A subnet is 10.10.0.0/16 and Site B subnet is 10.11.0.0/16 > both sites are connection to internet > > I successfully get the tunnel up and running and both sites > are able to communicate only if i disable the shorewall masquerade > > But this causes problem as both site cannot access internet... > > So my problem is both IPSEC and MASQ cannot coexist... > > Btw, I am using single public IP for both servers. > > Pls enlighthen me....Please enlighten us. http://shorewall.net/support.htm describes the information that we need to help you. You haven''t provided *any* of that information. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Hi, I try to build site to site vpn using freeswan and shorewall. Site A subnet is 10.10.0.0/16 and Site B subnet is 10.11.0.0/16 both sites are connection to internet I successfully get the tunnel up and running and both sites are able to communicate only if i disable the shorewall masquerade But this causes problem as both site cannot access internet... So my problem is both IPSEC and MASQ cannot coexist... Btw, I am using single public IP for both servers. Pls enlighthen me.... Warmest Regards Aslay ################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ###################################################
Sorry for not being details , below shows network diagrams , shorewall
version, IP addr show , IP route show :
Pls let me know if information not sufficient......
My problems :
I am using Webmin to configure my Shorewall, If i do not create any MASQ,
- tunnel up and running, 10.30.1.2 can ping 10.10.33.33
- both subnet cannot access internet
If I create MASQ ,
- tunnel up and running but 10.30.1.2 cannot ping 10.10.33.33
- both subnet cannot access internet
A)
root@vpngate1 root]# shorewall version
2.1.1
[root@vpngate1 root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:50:bf:7c:99:ff brd ff:ff:ff:ff:ff:ff
inet 10.30.1.1/16 brd 10.30.255.255 scope global
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff
inet 218.111.249.37/29 brd 218.111.249.39 scope
global eth1
4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen
10
link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff
inet 218.111.249.37/29 brd 218.111.249.39 scope
global ipsec0
5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
[root@vpngate1 root]# ip route show
218.111.249.32/29 dev eth1 scope link
218.111.249.32/29 dev ipsec0 proto kernel scope link
src 218.111.249.37
10.10.0.0/16 via 218.111.249.33 dev ipsec0
169.254.0.0/16 dev eth1 scope link
10.30.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 218.111.249.33 dev ipsec0
128.0.0.0/1 via 218.111.249.33 dev ipsec0
default via 218.111.249.33 dev eth1
[root@vpngate1 root]#
..................................................................................................................................................
B)
[root@vpngate2 root]# shorewall version
2.1.1
[root@vpngate2 root]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd
00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:10:dc:d1:59:ba brd ff:ff:ff:ff:ff:ff
inet 10.10.55.99/16 brd 10.10.255.255 scope global
eth0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc
pfifo_fast qlen 100
link/ether 00:00:1c:d6:4d:0f brd ff:ff:ff:ff:ff:ff
inet 218.111.249.36/29 brd 218.111.249.39 scope
global eth1
4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen
10
link/ether 00:00:1c:d6:4d:0f brd ff:ff:ff:ff:ff:ff
inet 218.111.249.36/29 brd 218.111.249.39 scope
global ipsec0
5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
[root@vpngate2 root]# ip route show
218.111.249.32/29 dev eth1 scope link
218.111.249.32/29 dev ipsec0 proto kernel scope link
src 218.111.249.36
10.10.0.0/16 dev eth0 scope link
169.254.0.0/16 dev eth1 scope link
10.30.0.0/16 via 218.111.249.33 dev ipsec0
127.0.0.0/8 dev lo scope link
0.0.0.0/1 via 218.111.249.33 dev ipsec0
128.0.0.0/1 via 218.111.249.33 dev ipsec0
default via 218.111.249.33 dev eth1
[root@vpngate2 root]#
Tom Eastep wrote:
> aslay@pds-malaysia.com wrote:
>
>> Hi,
>>
>> I try to build site to site vpn using freeswan and shorewall.
>> Site A subnet is 10.10.0.0/16 and Site B subnet is 10.11.0.0/16
>> both sites are connection to internet
>>
>> I successfully get the tunnel up and running and both sites
>> are able to communicate only if i disable the shorewall masquerade
>>
>> But this causes problem as both site cannot access internet...
>>
>> So my problem is both IPSEC and MASQ cannot coexist...
>>
>> Btw, I am using single public IP for both servers.
>>
>> Pls enlighthen me....
>
>
> Please enlighten us.
>
> http://shorewall.net/support.htm describes the information that we
> need to help you. You haven''t provided *any* of that information.
>
> -Tom
###################################################
# This message has been scanned for viruses and #
# dangerous content by Pensteel Digital Solutions #
# Open Source Security Server, and is #
# believed to be clean. #
# Pls download www.pds-malaysia.com/doc/Linux.zip #
# for Linux Open Source Solutions #
###################################################
layahsee wrote:> Sorry for not being details , I attached the network diagram , > shorewall version, IP addr show , IP route show : > Pls let me know if information not sufficient...... > > > My problems : > I am using Webmin to configure my Shorewall, If i do not create any > MASQ, > - tunnel up and running, 10.30.1.2 can ping 10.10.33.33 > - both subnet cannot access internet > > If I create MASQ , > - tunnel up and running but 10.30.1.2 cannot ping 10.10.33.33 > - both subnet cannot access internet > > > A) > root@vpngate1 root]# shorewall version > 2.1.1 > [root@vpngate1 root]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:50:bf:7c:99:ff brd ff:ff:ff:ff:ff:ff > inet 10.30.1.1/16 brd 10.30.255.255 scope global > eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff > inet 218.111.249.37/29 brd 218.111.249.39 scope > global eth1 > 4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen > 10 > link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff > inet 218.111.249.37/29 brd 218.111.249.39 scope > global ipsec0 > 5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > [root@vpngate1 root]# ip route show > 218.111.249.32/29 dev eth1 scope link > 218.111.249.32/29 dev ipsec0 proto kernel scope link > src 218.111.249.37 > 10.10.0.0/16 via 218.111.249.33 dev ipsec0 > 169.254.0.0/16 dev eth1 scope link > 10.30.0.0/16 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > 0.0.0.0/1 via 218.111.249.33 dev ipsec0 > 128.0.0.0/1 via 218.111.249.33 dev ipsec0 > default via 218.111.249.33 dev eth1 > [root@vpngate1 root]# > > > > > .................................................................................................................................................. > > B) > > [root@vpngate2 root]# shorewall version > 2.1.1 > > [root@vpngate2 root]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:10:dc:d1:59:ba brd ff:ff:ff:ff:ff:ff > inet 10.10.55.99/16 brd 10.10.255.255 scope global > eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:00:1c:d6:4d:0f brd ff:ff:ff:ff:ff:ff > inet 218.111.249.36/29 brd 218.111.249.39 scope > global eth1 > 4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen > 10 > link/ether 00:00:1c:d6:4d:0f brd ff:ff:ff:ff:ff:ff > inet 218.111.249.36/29 brd 218.111.249.39 scope > global ipsec0 > 5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > > [root@vpngate2 root]# ip route show > 218.111.249.32/29 dev eth1 scope link > 218.111.249.32/29 dev ipsec0 proto kernel scope link > src 218.111.249.36 > 10.10.0.0/16 dev eth0 scope link > 169.254.0.0/16 dev eth1 scope link > 10.30.0.0/16 via 218.111.249.33 dev ipsec0 > 127.0.0.0/8 dev lo scope link > 0.0.0.0/1 via 218.111.249.33 dev ipsec0 > 128.0.0.0/1 via 218.111.249.33 dev ipsec0 > default via 218.111.249.33 dev eth1 > [root@vpngate2 root]# > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Tom Eastep wrote: > >> aslay@pds-malaysia.com wrote: >> >>> Hi, >>> >>> I try to build site to site vpn using freeswan and shorewall. >>> Site A subnet is 10.10.0.0/16 and Site B subnet is 10.11.0.0/16 >>> both sites are connection to internet >>> >>> I successfully get the tunnel up and running and both sites >>> are able to communicate only if i disable the shorewall masquerade >>> >>> But this causes problem as both site cannot access internet... >>> >>> So my problem is both IPSEC and MASQ cannot coexist... >>> >>> Btw, I am using single public IP for both servers. >>> >>> Pls enlighthen me.... >> >> >> >> Please enlighten us. >> >> http://shorewall.net/support.htm describes the information that we >> need to help you. You haven''t provided *any* of that information. >> >> -Tom > > > > > ################################################### > # This message has been scanned for viruses and # > # dangerous content by Pensteel Digital Solutions # > # Open Source Security Server, and is # > # believed to be clean. # > # Pls download www.pds-malaysia.com/doc/Linux.zip # > # for Linux Open Source Solutions # > ################################################### > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ###################################################
layahsee wrote:> Sorry for not being details , below shows network diagramsAs you discovered, sending HTML/graphics via the list doesn''t work well (as clearly stated at http://shorewall.net/support.htm).> My problems : > I am using Webmin to configure my Shorewall,There aren''t many people in the world who would try running Webmin with a development version of Shorewall.> If i do not create any MASQ, > - tunnel up and running, 10.30.1.2 can ping 10.10.33.33 > - both subnet cannot access internet > > If I create MASQ , > - tunnel up and running but 10.30.1.2 cannot ping 10.10.33.33 > - both subnet cannot access internetI guess we are just supposed to guess what "create MASQ" means....> > > A) > root@vpngate1 root]# shorewall version > 2.1.1Why are you running a development version of Shorewall??? Especially with Webmin.... You can''t possibly take advantage of the new Shorwall features and you get all of the instability problems of development code.> [root@vpngate1 root]# ip addr show > 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue > link/loopback 00:00:00:00:00:00 brd > 00:00:00:00:00:00 > inet 127.0.0.1/8 brd 127.255.255.255 scope host lo > 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:50:bf:7c:99:ff brd ff:ff:ff:ff:ff:ff > inet 10.30.1.1/16 brd 10.30.255.255 scope global > eth0 > 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc > pfifo_fast qlen 100 > link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff > inet 218.111.249.37/29 brd 218.111.249.39 scope > global eth1 > 4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen > 10 > link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff > inet 218.111.249.37/29 brd 218.111.249.39 scope > global ipsec0 > 5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > 7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 > link/void > [root@vpngate1 root]# ip route show > 218.111.249.32/29 dev eth1 scope link > 218.111.249.32/29 dev ipsec0 proto kernel scope link > src 218.111.249.37 > 10.10.0.0/16 via 218.111.249.33 dev ipsec0 > 169.254.0.0/16 dev eth1 scope link > 10.30.0.0/16 dev eth0 scope link > 127.0.0.0/8 dev lo scope link > 0.0.0.0/1 via 218.111.249.33 dev ipsec0 > 128.0.0.0/1 via 218.111.249.33 dev ipsec0I don''t know where the above absurd route is coming from but it says that all traffic to IP addresses whose first byte''s value is 128 or greater is to be routed through ipsec0. Get rid of it and you''ll be happier.> default via 218.111.249.33 dev eth1 > [root@vpngate1 root]# >That''s about all I can do without some clue as to your Shorewall configuration (hint -- the output of "shorewall status" as a text attachment is always welcome). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
Tom Eastep wrote:> layahsee wrote: > >> Sorry for not being details , below shows network diagrams > > > As you discovered, sending HTML/graphics via the list doesn''t work well > (as clearly stated at http://shorewall.net/support.htm). > >> My problems : >> I am using Webmin to configure my Shorewall, > > > There aren''t many people in the world who would try running Webmin with > a development version of Shorewall. > >> If i do not create any MASQ, >> - tunnel up and running, 10.30.1.2 can ping 10.10.33.33 >> - both subnet cannot access internet >> >> If I create MASQ , >> - tunnel up and running but 10.30.1.2 cannot ping 10.10.33.33 >> - both subnet cannot access internet > > > I guess we are just supposed to guess what "create MASQ" means.... > >> >> >> A) >> root@vpngate1 root]# shorewall version >> 2.1.1 > > > Why are you running a development version of Shorewall??? Especially > with Webmin.... You can''t possibly take advantage of the new Shorwall > features and you get all of the instability problems of development code. > >> [root@vpngate1 root]# ip addr show >> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue >> link/loopback 00:00:00:00:00:00 brd >> 00:00:00:00:00:00 >> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo >> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc >> pfifo_fast qlen 100 >> link/ether 00:50:bf:7c:99:ff brd ff:ff:ff:ff:ff:ff >> inet 10.30.1.1/16 brd 10.30.255.255 scope global >> eth0 >> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc >> pfifo_fast qlen 100 >> link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff >> inet 218.111.249.37/29 brd 218.111.249.39 scope >> global eth1 >> 4: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen >> 10 >> link/ether 00:02:e3:30:bb:ab brd ff:ff:ff:ff:ff:ff >> inet 218.111.249.37/29 brd 218.111.249.39 scope >> global ipsec0 >> 5: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10 >> link/void >> 6: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10 >> link/void >> 7: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10 >> link/void >> [root@vpngate1 root]# ip route show >> 218.111.249.32/29 dev eth1 scope link >> 218.111.249.32/29 dev ipsec0 proto kernel scope link >> src 218.111.249.37 >> 10.10.0.0/16 via 218.111.249.33 dev ipsec0 >> 169.254.0.0/16 dev eth1 scope link >> 10.30.0.0/16 dev eth0 scope link >> 127.0.0.0/8 dev lo scope link >> 0.0.0.0/1 via 218.111.249.33 dev ipsec0 >> 128.0.0.0/1 via 218.111.249.33 dev ipsec0 > > > I don''t know where the above absurd route is coming from but it says > that all traffic to IP addresses whose first byte''s value is 128 or > greater is to be routed through ipsec0. Get rid of it and you''ll be > happier. >Make that ''routes'' the one before it catches all traffic to IP addresses whose whose first byte is less than 128. Have you followed the instructions at http://shorewall.net/IPSEC.htm regarding the configuration of FreeS/Wan -- looks like you still have opportunistic encryption enabled. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net