I recently went to a great deal of trouble to get a properly patched kernel and ipsec-tools together to connect to a cisco vpn concentrator. My firewall is shorewall shorewall-3.0.4-1 running on a FC4 box at 2.6.11 (plus policy match patches). The ipsec implementation requires that I make my default route to the eth0:1 interface, but the shorewall interfaces file says you can''t do that. I would also want to masquerade my local subnet through the ipsec connection, and I don''t see how I could make that work. If anyone has experience in this area I would appreciate it. wcn ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
We are using OpenSwan with default route to eth0:1 and /etc/shorewall/hosts has vpn eth0:xx.xx.xx.xx,xx.xx.xx.xx ipsec There are no troubles with that. Cheers Mike -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Wendell Nichols Gesendet: Dienstag, 7. Februar 2006 00:28 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Problems with ipsec-tools I recently went to a great deal of trouble to get a properly patched kernel and ipsec-tools together to connect to a cisco vpn concentrator. My firewall is shorewall shorewall-3.0.4-1 running on a FC4 box at 2.6.11 (plus policy match patches). The ipsec implementation requires that I make my default route to the eth0:1 interface, but the shorewall interfaces file says you can''t do that. I would also want to masquerade my local subnet through the ipsec connection, and I don''t see how I could make that work. If anyone has experience in this area I would appreciate it. wcn ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
Can you masqureade a small network behind the openswan vpn to a coprportate network behind the cisco router? If so I would be interested in your shorewall and routing config... wcn info@kws-netzwerke.de wrote:> We are using OpenSwan with default route to eth0:1 and /etc/shorewall/hosts > has vpn eth0:xx.xx.xx.xx,xx.xx.xx.xx ipsec > > There are no troubles with that. > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Wendell > Nichols > Gesendet: Dienstag, 7. Februar 2006 00:28 > An: shorewall-users@lists.sourceforge.net > Betreff: [Shorewall-users] Problems with ipsec-tools > > I recently went to a great deal of trouble to get a properly patched > kernel and ipsec-tools together to connect to a cisco vpn concentrator. > My firewall is shorewall shorewall-3.0.4-1 running on a FC4 box at > 2.6.11 (plus policy match patches). > > The ipsec implementation requires that I make my default route to the > eth0:1 interface, but the shorewall interfaces file says you can''t do > that. I would also want to masquerade my local subnet through the ipsec > connection, and I don''t see how I could make that work. > > If anyone has experience in this area I would appreciate it. > wcn > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
I´m not sure if I´ve got it right but we have tested openswan/openswan openswan/cisco and openswan/netscreen setups. All of them seems to be ok but we only using openswan/openswan and openswan/netscreen productively. You are able to merge to subnets together - the one behind openswan and the one behind cisco or other right side. In addition you are able to setup another shorewall in one of these subnets to be able to nat to a third subnet. I think that was your question. Cheers Mike -----Ursprüngliche Nachricht----- Von: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag von Wendell Nichols Gesendet: Dienstag, 7. Februar 2006 15:54 An: shorewall-users@lists.sourceforge.net Betreff: Re: AW: [Shorewall-users] Problems with ipsec-tools Can you masqureade a small network behind the openswan vpn to a coprportate network behind the cisco router? If so I would be interested in your shorewall and routing config... wcn info@kws-netzwerke.de wrote:> We are using OpenSwan with default route to eth0:1 and/etc/shorewall/hosts> has vpn eth0:xx.xx.xx.xx,xx.xx.xx.xx ipsec > > There are no troubles with that. > > Cheers > Mike > > -----Ursprüngliche Nachricht----- > Von: shorewall-users-admin@lists.sourceforge.net > [mailto:shorewall-users-admin@lists.sourceforge.net] Im Auftrag vonWendell> Nichols > Gesendet: Dienstag, 7. Februar 2006 00:28 > An: shorewall-users@lists.sourceforge.net > Betreff: [Shorewall-users] Problems with ipsec-tools > > I recently went to a great deal of trouble to get a properly patched > kernel and ipsec-tools together to connect to a cisco vpn concentrator. > My firewall is shorewall shorewall-3.0.4-1 running on a FC4 box at > 2.6.11 (plus policy match patches). > > The ipsec implementation requires that I make my default route to the > eth0:1 interface, but the shorewall interfaces file says you can''t do > that. I would also want to masquerade my local subnet through the ipsec > connection, and I don''t see how I could make that work. > > If anyone has experience in this area I would appreciate it. > wcn > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through logfiles> for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through logfiles> for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=k&kid3432&bid#0486&dat1642 _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642