Hi , I have setup site-to-site IPSEC tunnel using Freeswan and Shorewall. I have 3 sites, One central site called site-A, and 2 remote sites called site-B and site-C. Now site-A can communicate with site-B and site-C repectively. I want to enable site-B talk to site-C using Tunnel hub configuration. I have enabled the shorewall policy on site-A server so that site-B can talk site-C, but it doesn''t work. I would like to know whether I need to enable some kind of IPSEC tunnel routing on Site-A so that Site-A server know how to route the traffice ...or do I need to do something on Site-B and Site-C Pls help..... ################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ###################################################
Hi there, Maybe you need to enable IP forwarding.. Or,depending on your setup, you might need to set up some static routes on Site-B and Site-C... J -----Original Message----- From: shorewall-users-bounces@lists.shorewall.net [mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of layahsee Sent: Monday, August 02, 2004 10:56 AM To: Mailing List for Shorewall Users Subject: [Shorewall-users] IPSEC Tunnel Hub Hi , I have setup site-to-site IPSEC tunnel using Freeswan and Shorewall. I have 3 sites, One central site called site-A, and 2 remote sites called site-B and site-C. Now site-A can communicate with site-B and site-C repectively. I want to enable site-B talk to site-C using Tunnel hub configuration. I have enabled the shorewall policy on site-A server so that site-B can talk site-C, but it doesn''t work. I would like to know whether I need to enable some kind of IPSEC tunnel routing on Site-A so that Site-A server know how to route the traffice ...or do I need to do something on Site-B and Site-C Pls help..... ################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ################################################### _______________________________________________ Shorewall-users mailing list Post: Shorewall-users@lists.shorewall.net Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users Support: http://www.shorewall.net/support.htm FAQ: http://www.shorewall.net/FAQ.htm
My site-B and Site-C is totally stand alone with single VPN server as gateway..., so I don''t think I need static route... Regarding the IP forwarding, you mean enable in my ipsec.conf or in my IP network configuration ? Jorn Eriksen wrote:>Hi there, > >Maybe you need to enable IP forwarding.. Or,depending on your setup, you might >need to set up some static routes on Site-B and Site-C... > >J > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of >layahsee >Sent: Monday, August 02, 2004 10:56 AM >To: Mailing List for Shorewall Users >Subject: [Shorewall-users] IPSEC Tunnel Hub > > >Hi , > >I have setup site-to-site IPSEC tunnel using Freeswan and Shorewall. I >have 3 sites, One central site called site-A, >and 2 remote sites called site-B and site-C. > >Now site-A can communicate with site-B and site-C repectively. > >I want to enable site-B talk to site-C using Tunnel hub configuration. > >I have enabled the shorewall policy on site-A server so that site-B can >talk site-C, but it doesn''t work. > >I would like to know whether I need to enable some kind of IPSEC tunnel >routing on Site-A so >that Site-A server know how to route the traffice ...or do I need to do >something on >Site-B and Site-C > >Pls help..... > > > > > > > > >################################################### ># This message has been scanned for viruses and # ># dangerous content by Pensteel Digital Solutions # ># Open Source Security Server, and is # ># believed to be clean. # ># Pls download www.pds-malaysia.com/doc/Linux.zip # ># for Linux Open Source Solutions # >################################################### > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >################################################### ># This message has been scanned for viruses and # ># dangerous content by Pensteel Digital Solutions # ># Open Source Security Server, and is # ># believed to be clean. # ># Pls download www.pds-malaysia.com/doc/Linux.zip # ># for Linux Open Source Solutions # >################################################### > > > >################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ###################################################
tested,,, but it doesn''t work..... Jorn Eriksen wrote:>Hi there, > >Maybe you need to enable IP forwarding.. Or,depending on your setup, you might >need to set up some static routes on Site-B and Site-C... > >J > >-----Original Message----- >From: shorewall-users-bounces@lists.shorewall.net >[mailto:shorewall-users-bounces@lists.shorewall.net]On Behalf Of >layahsee >Sent: Monday, August 02, 2004 10:56 AM >To: Mailing List for Shorewall Users >Subject: [Shorewall-users] IPSEC Tunnel Hub > > >Hi , > >I have setup site-to-site IPSEC tunnel using Freeswan and Shorewall. I >have 3 sites, One central site called site-A, >and 2 remote sites called site-B and site-C. > >Now site-A can communicate with site-B and site-C repectively. > >I want to enable site-B talk to site-C using Tunnel hub configuration. > >I have enabled the shorewall policy on site-A server so that site-B can >talk site-C, but it doesn''t work. > >I would like to know whether I need to enable some kind of IPSEC tunnel >routing on Site-A so >that Site-A server know how to route the traffice ...or do I need to do >something on >Site-B and Site-C > >Pls help..... > > > > > > > > >################################################### ># This message has been scanned for viruses and # ># dangerous content by Pensteel Digital Solutions # ># Open Source Security Server, and is # ># believed to be clean. # ># Pls download www.pds-malaysia.com/doc/Linux.zip # ># for Linux Open Source Solutions # >################################################### > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: >https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >################################################### ># This message has been scanned for viruses and # ># dangerous content by Pensteel Digital Solutions # ># Open Source Security Server, and is # ># believed to be clean. # ># Pls download www.pds-malaysia.com/doc/Linux.zip # ># for Linux Open Source Solutions # >################################################### > > > >################################################### # This message has been scanned for viruses and # # dangerous content by Pensteel Digital Solutions # # Open Source Security Server, and is # # believed to be clean. # # Pls download www.pds-malaysia.com/doc/Linux.zip # # for Linux Open Source Solutions # ###################################################
layahsee wrote:> Hi , > > I have setup site-to-site IPSEC tunnel using Freeswan and Shorewall. I > have 3 sites, One central site called site-A, > and 2 remote sites called site-B and site-C. > > Now site-A can communicate with site-B and site-C repectively. > > I want to enable site-B talk to site-C using Tunnel hub configuration. > > I have enabled the shorewall policy on site-A server so that site-B can > talk site-C, but it doesn''t work. > > I would like to know whether I need to enable some kind of IPSEC tunnel > routing on Site-A so > that Site-A server know how to route the traffice ...or do I need to do > something on > Site-B and Site-C >There are three aspects to what you want to do: a) Shorewall configuration -- that''s convered at http://shorewall.net/IPSEC.htm in the section entitled VPN HUB. b) Routing -- routing to the other subnets needs to go through a tunnel to the hub. c) IPSEC -- there needs to be IPSEC security policies that allow encrypted traffic between the networks. With FreeeS/Wan, if you set this up then you usually get b) for free. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net