Hello, I have two routers and behind each router one Shorewall linux box. I want to do a GRE tunnel with shorewal script but I don''t know how .. Can you say me if it is possible ? I need do some configuration on routers ? Thank you! ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Adrian Chapela wrote:> Hello, > > I have two routers and behind each router one Shorewall linux box. I > want to do a GRE tunnel with shorewal script but I don''t know how .. Can > you say me if it is possible ? I need do some configuration on routers ?shorewall.net/IPIP.htm -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep escribió:> Adrian Chapela wrote: >> Hello, >> >> I have two routers and behind each router one Shorewall linux box. I >> want to do a GRE tunnel with shorewal script but I don''t know how .. >> Can you say me if it is possible ? I need do some configuration on >> routers ? > > shorewall.net/IPIP.htmThank you for your fast answer but I already read this document and I test this on my LAN with succesfully results. My problem is to test the same config on the next config: Shorewall BOX ->> Router ->>> ...... INTERNET ...... <<<- Remoter Router <<- Remote Shorewall Box. I am testing this config and I can''t stablish a tunnel with the two shorewall boxes, Nedd I do some configuration on Routers ?> > -TomThank you Tom!> ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Adrian Chapela wrote:> > I am testing this config and I can''t stablish a tunnel with the two > shorewall boxes, Nedd I do some configuration on Routers ?Well, trivially they need to pass GRE traffic... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep escribió:> Adrian Chapela wrote: > >> >> I am testing this config and I can''t stablish a tunnel with the two >> shorewall boxes, Nedd I do some configuration on Routers ? > > Well, trivially they need to pass GRE traffic...OK, Tom.. I need to config the router to pass GRE traffic, but If I need do NAT ?? It will be OK as well ? My config Site 1: Router 1 (212.60.187.2) -> 192.168.2.1 (Linux BOX 1) Site 2: Router 2 (69.80.80.1) -> 192.168.3.1 (Linux Box 2) Two tunnel script: Site 1, Linux Box 1: tunnel="tunnel_test" myrealip="212.60.187.2" myip="192.168.2.1" hisip="192.168.3.1" gateway="69.80.80.1" subnet="192.168.3.0/24" Site 2, Linux Box 2: tunnel="tunnel_test" myrealip="69.80.80.1" myip="192.168.3.1" hisip="192.168.2.1" gateway="212.60.187.2" subnet="192.168.2.0/24" With this config and passing the GRE traffic to the Linux Box is OK ? I am not sure about pass GRE traffic using NAT... I think this is my real problem... Thank you again Tom!> > -Tom > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Adrian Chapela wrote:>Thank you for your fast answer but I already read this document and I >test this on my LAN with succesfully results. My problem is to test the >same config on the next config: > >Shorewall BOX ->> Router ->>> ...... INTERNET ...... <<<- Remoter Router ><<- Remote Shorewall Box. > >I am testing this config and I can''t stablish a tunnel with the two >shorewall boxes, Nedd I do some configuration on Routers ?Yes, you MUST configure each router to port forward the required traffic to the shorewall box behind it - otherwise the packets from the other end will simply be dropped. That is no different to running any other service on a machine behind the NAT gateway. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Simon Hobson escribió:> Adrian Chapela wrote: > > >> Thank you for your fast answer but I already read this document and I >> test this on my LAN with succesfully results. My problem is to test the >> same config on the next config: >> >> Shorewall BOX ->> Router ->>> ...... INTERNET ...... <<<- Remoter Router >> <<- Remote Shorewall Box. >> >> I am testing this config and I can''t stablish a tunnel with the two >> shorewall boxes, Nedd I do some configuration on Routers ? >> > > > Yes, you MUST configure each router to port forward the required > traffic to the shorewall box behind it - otherwise the packets from > the other end will simply be dropped. That is no different to running > any other service on a machine behind the NAT gateway. >Yes I know, but opening a tunnel isn''t the same as run a service with an opened port ... tunnel hasn''t a port...This is my problem..but I think I must forward the GRE traffic to a linux box.> ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > lists.sourceforge.net/lists/listinfo/shorewall-users > >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Adrian Chapela wrote:> > Yes, you MUST configure each router to port forward the required >> traffic to the shorewall box behind it - otherwise the packets from >> the other end will simply be dropped. That is no different to running >> any other service on a machine behind the NAT gateway. >> > >Yes I know, but opening a tunnel isn''t the same as run a service with an >opened port ... tunnel hasn''t a port...This is my problem..but I think >I must forward the GRE traffic to a linux box.OK, but same principal applies - you have to configure the routers to forward the GRE traffic (which when I look it up I see is protocol 47. What I do know is that many routers (I''m thinking about ''consumer class'' devices) cannot do this as they only handle UDP and TCP in their NAT configuration. ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Adrian Chapela wrote:> Simon Hobson escribió: >> Adrian Chapela wrote: >> >> >>> Thank you for your fast answer but I already read this document and I >>> test this on my LAN with succesfully results. My problem is to test the >>> same config on the next config: >>> >>> Shorewall BOX ->> Router ->>> ...... INTERNET ...... <<<- Remoter Router >>> <<- Remote Shorewall Box. >>> >>> I am testing this config and I can''t stablish a tunnel with the two >>> shorewall boxes, Nedd I do some configuration on Routers ? >>> >> >> Yes, you MUST configure each router to port forward the required >> traffic to the shorewall box behind it - otherwise the packets from >> the other end will simply be dropped. That is no different to running >> any other service on a machine behind the NAT gateway. >> > > Yes I know, but opening a tunnel isn''t the same as run a service with an > opened port ... tunnel hasn''t a port...This is my problem..but I think > I must forward the GRE traffic to a linux box.That''s correct. On a Linux router: iptables -t nat -A PREROUTING -s <remote router''s IP> -p 47 -j DNAT --to-destination <local Shorewall IP> and iptables -A FORWARD -s <remote router> -m conntrack --ctorigdst <local router''s IP> -d <local Shorewall IP> -p 47 -j ACCEPT That''s basically the same thing you would do to forward a TCP port except replace ''-p 47'' with ''-p 6'' and add ''-dport <portnumber>'' to both rules. With some other type of router, consult the documentation or the manufacturer''s web site or help line. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
Tom Eastep escribió:> Adrian Chapela wrote: >> Simon Hobson escribió: >>> Adrian Chapela wrote: >>> >>> >>>> Thank you for your fast answer but I already read this document and I >>>> test this on my LAN with succesfully results. My problem is to test >>>> the >>>> same config on the next config: >>>> >>>> Shorewall BOX ->> Router ->>> ...... INTERNET ...... <<<- Remoter >>>> Router >>>> <<- Remote Shorewall Box. >>>> >>>> I am testing this config and I can''t stablish a tunnel with the two >>>> shorewall boxes, Nedd I do some configuration on Routers ? >>>> >>> >>> Yes, you MUST configure each router to port forward the required >>> traffic to the shorewall box behind it - otherwise the packets from >>> the other end will simply be dropped. That is no different to >>> running any other service on a machine behind the NAT gateway. >>> >> >> Yes I know, but opening a tunnel isn''t the same as run a service with >> an opened port ... tunnel hasn''t a port...This is my problem..but I >> think I must forward the GRE traffic to a linux box. > > That''s correct. > > On a Linux router: > > iptables -t nat -A PREROUTING -s <remote router''s IP> -p 47 -j DNAT > --to-destination <local Shorewall IP> > > and > > iptables -A FORWARD -s <remote router> -m conntrack --ctorigdst <local > router''s IP> -d <local Shorewall IP> -p 47 -j ACCEPT > > That''s basically the same thing you would do to forward a TCP port > except replace ''-p 47'' with ''-p 6'' and add ''-dport <portnumber>'' to > both rules. > > With some other type of router, consult the documentation or the > manufacturer''s web site or help line. > > -TomThank you to all! I configured my routers to forward all GRE traffic and now I can see GRE packets on my shorewall box but I can''t do a ping... I will test later and I will verify my tunnel configuration. Thank you!> ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don''t miss this year''s exciting event. There''s still time to save $100. > Use priority code J8TL2D2. > ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don''t miss this year''s exciting event. There''s still time to save $100. Use priority code J8TL2D2. ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone