Hi, I successfully connected quite a few servers with their associated networks using Suse 9.1/9.2 (Kernel 2.6.x) and IPSEC tunnels. But now I have to add another server that has a ADSL connection to the internet, that means it has a dynamic IP address which is likely to change every few hours, since the provider disconnects from time to time. I found a way to restart the IPSEC connection when the ASDL connection restarts. But in shorewall, there are 2 entries that require fixed addresses: VPN tunnels/remote gateway and hosts, where you specify the remote gateway''s IP address. How can I handle this situation? Paul
Paul Pridt wrote:> Hi, > I successfully connected quite a few servers with their associated > networks using Suse 9.1/9.2 (Kernel 2.6.x) and IPSEC tunnels. But now I > have to add another server that has a ADSL connection to the internet, > that means it has a dynamic IP address which is likely to change every > few hours, since the provider disconnects from time to time. > I found a way to restart the IPSEC connection when the ASDL connection > restarts. > But in shorewall, there are 2 entries that require fixed addresses: > VPN tunnels/remote gateway and hosts, where you specify the remote > gateway''s IP address. > How can I handle this situation?>From you post, I can''t tell whether it is the Shorewall box that has thedynamic IP or the remote system. You also don''t mention which version of Shorewall you are running. I''ll assume that it is the remote system that has the dynamic IP and that you are running Shorewall 2.2.x. In /etc/shorewall/tunnels, I would just use 0.0.0.0/0 as the gateway address. And for hosts, I would just have: z <external if> ipsec Be sure that z is defined in /etc/shorewall/zones AFTER any other ipsec zones that you have. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
>From you post, I can''t tell whether it is the Shorewall box that has the>dynamic IP or the remote system. You also don''t mention which version of >Shorewall you are running. >I''ll assume that it is the remote system that has the dynamic IP and >that you are running Shorewall 2.2.x. >In /etc/shorewall/tunnels, I would just use 0.0.0.0/0 as the gateway >address. And for hosts, I would just have: >z <external if> ipsec >Be sure that z is defined in /etc/shorewall/zones AFTER any other ipsec >zones that you have. All participating machines are Linux boxes with shorewall 2.2.3., up to now only with fix IP addresses. But now I want to add one with dynamic IP. This one I call the remote gateway. I agree to specifiy only 0.0.0.0/0 as gateway in tunnels, since the address of the remote gateway is not known yet. But specifying only the external interface in hosts is an overlap with the definition of the internet zone, leading to the following error message: iptables v1.2.11: host/network `ppp0'' not found Additionally, by default policy, everything would be accepted from that interface what I definitely do not want. When I include the subnet specifications in hosts (Ipsec ppp0:192.168.0.0/24 ipsec) I can start shorewall and the Ipsec tunnel and communication with at least the subnet 192.168.0.0/24 of the remote host can take place. But in this case I can access the remote gateway via ipsec tunnel from local, but the remote gateway itself cannot communicate with any "foreign" machine via the ipsec tunnel, since it is not recognized as part of that. Now, at the moment I can live with that, but is there another way, so that full communication in any direction is possible? Paul
Paul Pridt wrote:>>From you post, I can''t tell whether it is the Shorewall box that has the >>dynamic IP or the remote system. You also don''t mention which version of >>Shorewall you are running. > >>I''ll assume that it is the remote system that has the dynamic IP and >>that you are running Shorewall 2.2.x. > >>In /etc/shorewall/tunnels, I would just use 0.0.0.0/0 as the gateway >>address. And for hosts, I would just have: > >>z <external if> ipsec > >>Be sure that z is defined in /etc/shorewall/zones AFTER any other ipsec >>zones that you have. > > All participating machines are Linux boxes with shorewall 2.2.3., up to > now only with fix IP addresses. But now I want to add one with dynamic IP. > This one I call the remote gateway. > > I agree to specifiy only 0.0.0.0/0 as gateway in tunnels, since the > address of the remote gateway is not known yet. > > But specifying only the external interface in hosts is an overlap with > the definition of the internet zone, leading to the following error > message: >> iptables v1.2.11: host/network `ppp0'' not foundSorry: what I wanted was: z <external if>:0.0.0.0/0 ipsec The ''ipsec'' part is important.> > Additionally, by default policy, everything would be accepted from that > interface what I definitely do not want. > > When I include the subnet specifications in hosts > (Ipsec ppp0:192.168.0.0/24 ipsec) > I can start shorewall and the Ipsec tunnel and communication with at > least the subnet 192.168.0.0/24 of the remote host can take place. > But in this case I can access the remote gateway via ipsec tunnel from > local, but the remote gateway itself cannot communicate with any > "foreign" machine via the ipsec tunnel, since it is not recognized as > part of that. > > Now, at the moment I can live with that, but is there another way, so > that full communication in any direction is possible?Yes. Change the definition of the ipsec zone to: ipsec ppp0:0.0.0.0/0 ipsec as I recommend above. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Apparently Analagous Threads
- How could I open Port 1701 for VPN l2tp/ipsec
- linux-xp x509 ipsec connection
- IPSEC/L2TP Local and External Internet Access at same time through two interfaces?
- Shorewall + IPSec: help debugging why gw1<->gw2 SA works, but loc<->gw2 traffic doesn't trigger SA
- net2fw:DROP for L2TP VPN