Shorewall users - Apr 2006 - IPSEC 2.4 net-to-host setup

Dear All,

I am trying to replace an IPCop box with a Debian Sarge box (2.4
kernel) using Shorewall (2.2.3-2) and OpenSwan (2.2.0-8).

I have everything else done apart from the VPNs!  We have a number of
staff accessing our site using the VPN, they are standalone Windows
laptops with static IP addresses.

I have a test rig set up in my loft and have successfully got the
Net-to-Net configuration working, however when I try the Net-to-Host
combination the first pass encrypted traffic is let through but the
decrypted traffic is blocked. The IPSec is working with the firewall
off.
I have looked through the fine documentation and can''t find an example
of this particular setup. Could someone please suggest how I should
tweak my config files from the net-to-net setup to the net-to-host
setup.

Once I get this setup I''m planning to move the VPN clients to OpenVPN
which looks much easier to setup :-) and much more flexible.

Many thanks in advance, as I''ve spent to long in the loft scratching
my head over this one, and it''s far to cold up there :-(

Regards,

Simon


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Hi Simon
> I am trying to replace an IPCop box with a Debian Sarge box (2.4
> kernel) using Shorewall (2.2.3-2) and OpenSwan (2.2.0-8).
> [...]
> Could someone please suggest how I should
> tweak my config files from the net-to-net setup to the net-to-host
> setup.
Isn''t this similar to what Tom has described in the Road Warrior
section:
http://www.shorewall.net/2.0/IPSEC.htm#id2507868
(Of course, you can restrict the gateway if you like).

Please note that if you only allow access from the vpn-tunnel to your
lan, it will not be possible to test the tunnel on the firewall
itself, only on another machine on the lan -- if you want the firewall
to have access to the tunnel, you need to specify that as well.

If the above doesn''t help you, I suggest that you post a full
"shorewall status", as described in:
http://www.shorewall.net/2.0/support.htm#Guidelines


Rune


-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642