Hi all, I set up an IPSEC tunnel according to the tutorial at http://www.shorewall.net/IPSEC-2.6.html. In the following I will refer to the picture and rules there. The company at side B now wants, that all clients from side A appear to have a single address, say 192.168.200.1. So the question is, what entry in /etc/shorewall/masq is needed to translate all originating requests from subnet 192.168.1.0/24 to this address, before the traffic will go through the IPSEC tunnel. And what has to be changed in the IPSEC/racoon config for this? Thanks for any advice, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
W dniu 2007-10-05 10:36, Christian Vieser pisze:> Hi all, > > I set up an IPSEC tunnel according to the tutorial at > http://www.shorewall.net/IPSEC-2.6.html. In the following I will refer > to the picture and rules there. > > The company at side B now wants, that all clients from side A appear to > have a single address, say 192.168.200.1. So the question is, what entry > in /etc/shorewall/masq is needed to translate all originating requests > from subnet 192.168.1.0/24 to this address, before the traffic will go > through the IPSEC tunnel. And what has to be changed in the IPSEC/racoon > config for this? >Extracted from working shorewall 2.2.x installation (should not be different in newer versions): # file: masq #INTERFACE SUBNET ADDRESS eth0::$B_SIDE_IP_RANGE 192.168.1.0/24 192.168.200.1 # put other masq entries with 192.168.1.0/24 as a subnet below if needed Most likely You need to turn off route filtering (for example ROUTE_FILTER=No in shorewall.conf). IPSec tunnel must be established between 192.168.200.1/32 and $B_SIDE_IP_RANGE. I use Openswan, not ipsec-tools, so I can''t give exact config entries. It should be enough, if Your configuration does not contain any specific, conflicting elements. Greetings. -- Artur ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Thanks, Artur. I tried as described and the tunnel is successfully established upon a Ping from a system at A to a system at B. But the Ping itself isn''t successful. Has the address 192.168.200.1 to be added to the external interface? I have the ADD_SNAT_ALIASES variable set to NO in shorewall.conf. I think, it should handled by Shorewall only internally. Is there any possibility to trace the connection some steps further with the shorewall logging facilities? I see, of course, the initial ACCEPT of the packet from the client entering the firewall with the policy "loc -> vpn". But not further. Regards, Christian Artur Uszyn''ski wrote:> W dniu 2007-10-05 10:36, Christian Vieser pisze: > >> Hi all, >> >> I set up an IPSEC tunnel according to the tutorial at >> http://www.shorewall.net/IPSEC-2.6.html. In the following I will refer >> to the picture and rules there. >> >> The company at side B now wants, that all clients from side A appear to >> have a single address, say 192.168.200.1. So the question is, what entry >> in /etc/shorewall/masq is needed to translate all originating requests >> from subnet 192.168.1.0/24 to this address, before the traffic will go >> through the IPSEC tunnel. And what has to be changed in the IPSEC/racoon >> config for this? >> >> > > Extracted from working shorewall 2.2.x installation (should not be different in newer versions): > > # file: masq > #INTERFACE SUBNET ADDRESS > eth0::$B_SIDE_IP_RANGE 192.168.1.0/24 192.168.200.1 > # put other masq entries with 192.168.1.0/24 as a subnet below if needed > > Most likely You need to turn off route filtering (for example ROUTE_FILTER=No in shorewall.conf). > > IPSec tunnel must be established between 192.168.200.1/32 and $B_SIDE_IP_RANGE. I use Openswan, not ipsec-tools, so I can''t give exact config entries. >------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Ok, I found a missing link in the IPSEC configuration. Things are working now. One essential point to mention is, that the declaration of the vpn zone in /etc/shorewall/zones has to be first, before the declaration of the net zone. If you don''t do this, Shorewall will put the connection into the net zone evaluating the policies. Regards, Christian ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/