Shorewall users - May 2007 - DNAT: openswan peer behind NAT

Hi,

Before sending in a shorewall dump I would like to
know if someone has already solved this "common" issue
before.

I setup openswan on a shorewall gateway/router and
correctly established an IPsec peer to peer tunnel.

Now I need to stop the openswan service on the
shorewall gateway and install it on another shorewall
server within the LAN.
But before getting to the LAN there''s another
shorewall box acting as a bridge+router.

At first I tried using this bridge+router as an
openswan peer but then I read the warning on 
http://www.shorewall.net/IPSEC-2.6.html 
about "Netfilter+ipsec and policy match support are
broken when used with a bridge device" and I have
kernels < 2.6.20 and am reluctant to upgrade for now.

So I setup another openswan machine on the subnet
within the shorewall bridge and tried initiating a
connection.

The rules I apply are as follow (10.215.144.27 is the
"innermost" openswan peer):

on the "outermost" shorewall gateway/router:
DNAT    net1:195.177.212.154    loc:10.215.144.27     
 udp     4500
DNAT    net1:195.177.212.154    loc:10.215.144.27     
 udp     500
DNAT    net1:195.177.212.154    loc:10.215.144.27     
 50
(as NAT-t is enabled in openswan I suppose I could be
using just udp 4500)

on the shorewall bridge:
ACCEPT  net:195.177.212.154     loc:10.215.144.27     
 udp     4500
ACCEPT  net:195.177.212.154     loc:10.215.144.27     
 udp     500
ACCEPT  net:195.177.212.154     loc:10.215.144.27     
 50

and on the "innermost" openswan peer I followed the
setup on http://www.shorewall.net/IPSEC-2.6.html.

However, openswan doesn''t go past STATE_MAIN_I1 which
seems to indicate a firewall problem.

000 #1: "ge-fhm":500 STATE_MAIN_I1 (sent MI1,
expecting MR1); EVENT_RETRANSMIT in 13s; nodpd

So before getting into details and dumps, I was
wondering if someone with a similar setup could
confirm that:

1) kernels 2.6.17/2.6.18 and shorewall configured as a
bridge will/are expected to fail,

2) the above DNAT rules are theoretically enough.

Thank you



       
____________________________________________________________________________________Take
the Internet to Go: Yahoo!Go puts the Internet in your pocket: mail, news,
photos & more.
http://mobile.yahoo.com/go?refer=1GNXIC

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/