Hello all I am using two Draytek routers that open and sustain an encrypted VPN connection between two lans (via the internet). Behind EACH of the routers is a Linux machine that runs Shorewall (2.0.2). Each of the machines is equiped with two network interfaces: eth0 connects the machine to the router and eth1 connects the machine to the internal network, for which network Shorewall provides NAT. Each of the routers can ping the internal IP of the other router, as well as the IP of the eth0 of each of the Linux machines, that is how i know that the VPN connection is working. Therefore (you guessed it) everything past the eth1 port is unreachable, therefore the two internal LANs are not connected at all. By reading, i thought that i would have to use the "tunnels" file, but everything that i do fails. I have configured two zones per machine (zone "net" and zone "local", self explanatory) and i have allowed via my policies ALL traffic, for testing purposes. Please assist, if possible. Panos ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Panos Katergiathis wrote:>I am using two Draytek routers that open and sustain an encrypted VPN >connection between two lans (via the internet). Behind EACH of the >routers is a Linux machine that runs Shorewall (2.0.2). Each of the >machines is equiped with two network interfaces: eth0 connects the >machine to the router and eth1 connects the machine to the internal >network, for which network Shorewall provides NAT.Presumably the Draytek routers do NAT between internet and their LAN port - so don''t add a second level of NAT in your internal gateways, it just adds another level of complexity that you don''t need and it appears you don''t have the skills to handle.>Each of the routers can ping the internal IP of the other router, as >well as the IP of the eth0 of each of the Linux machines, that is how i >know that the VPN connection is working. Therefore (you guessed it) >everything past the eth1 port is unreachable, therefore the two internal >LANs are not connected at all.Three different reasons why this will be so: 1) You probably do not have routing tables set up properly so the systems at each end do not have the routes to be able to send the packets to the right place. 2) The NAT makes the other end network invisible. 3) When you''ve fixed 1 & 2, you probably don''t have the right VPN policies to route the end networks via the VPN.>By reading, i thought that i would have to use the "tunnels" file, but >everything that i do fails.No, because the shorewall machines have absolutely zero part in the VPN tunnel. I''ll attempt a little diagram : Net1 --- SW1 --net2-- D1 --internet-- D2 --net3-- SW2 --- Net4 SW1 & SW2 are your Shorewall machines, D1 & D2 are your Draytek routers, net1 - net4 are the networks. Lets say we use 192.168.1.0/24 for net1, 192.168.2.0/24 for net2, 192.168.13.0/24 for net3 and 192.168.14.0/24 for net4. Your VPN policies need to include all the networks, not just net2 and net3. So you might use 192.168.0.0/22 and 192.168.12.0/22 which encompass both networks at each end. These policies would include other networks, but as long as you don''t try to use them elsewhere it won''t matter. Then you need routing tables, so SW1 needs either: 192.168.12.0/22 via 192.168.2.x (Draytek D1 IP address) or: 192.168.13.0/24 via 192.168.2.x 192.168.14.0/24 via 192.168.2.x This allows the Shorewall machine (and anything using it as the default gateway to route packets properly. After that, you need Shorewall rules to allow the right traffic in. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Thanks for the help you provided. Though, i am a bit unclear on what you mean about the "not needed" NAT functionality: the Drayteks act as modems, providing internet connectivity - the NATing takes place on the Shorewall machines, thus allowing the users of the internal networks to have access to the internet, right? So, i would have thought that my issue would be a "routing" issue between the eth0 and eth1 of each of my Linux machines. Furthermore, you discuss VPN policies: how do i enforce these? Is it a Shorewall issue, or a Linux issue. Please, tolerate my ignorance a little bit more (i learn quickly). Panos ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/
Please, if anyone sees something wrong with my advice, don''t be shy of saying so ! Panos Katergiathis wrote:>Thanks for the help you provided. >Though, i am a bit unclear on what you mean about the "not needed" NAT >functionality: the Drayteks act as modems, providing internet >connectivity - the NATing takes place on the Shorewall machines, thus >allowing the users of the internal networks to have access to the >internet, right?I very much doubt it. Firstly I wasn''t aware that the Draytek stuff would run as a MODEM, secondly I really really doubt that they would do VPN whilst doing so. If you check, I think you will find that they are running as NAT Routers - one public IP on the WAN, and an RFC1918 network on the LAN. As a true modem, the device doesn''t have it''s own IP address (apart from one used purely for management) and it transparently passes packets between the WAN and LAN - with the etherenet interface of the SINGLE attached device taking the IP address of you net connection. Such devices are actually rather few.>Furthermore, you discuss VPN policies: how do i enforce these? Is it a >Shorewall issue, or a Linux issue.Neither, VPN policies are what controls the traffic that goes via the VPN. In your VPN setup (I''m assuming IPSec here as that''s what I recall Draytek stuff doing) you will find that part of the VPN setup is the remote network. Here you will have configured the remote network/subnet mask at the other end of the VPN tunnel, and if you''ve set that to be the same as the LAN subnet/mask of the remote router then ONLY that traffic will be sent via the VPN. Going back to my previous post : Net1 --- SW1 --net2-- D1 --internet-- D2 --net3-- SW2 --- Net4 If you configure D1 with a VPN policy that only includes net3, then traffic for net4 will be sent unencrypted via the WAN - and since the internet doesn''t route RFC1918 traffic the packet will simply be dropped. You COULD get around this by using NAT on SW2 so you only deal with addresses on net3 - but then everything in net4 is invisible unless you start doing port forwarding (aka DNAT) in SW2. I would suggest that this would be a bad way to do it and will cause you nothing but grief. Alternatively, some equipment (I think Draytek allows this, Netgear doesn''t) will allow you to set a static route via the tunnel/vpn - in that case you can leave the VPN policy in D1 to just reference net3 and set a route in D1 to route traffic for net4 via the tunnel interface built by the VPN.>Please, tolerate my ignorance a little bit more (i learn quickly).I hope so, you''ve a steep learning curve to survive. ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/