I mostly forgot (in terms of being sure how to do it without consulting
the doc''s) how to use VPN. Here is what I have of docs for PtP IPSec
VPN
with 2 VPN routers:
http://manual.ovislinkcorp.com/8000VPN-example.pdf
All I had to do is to is set Remote and Local LAN subnets on routers web
config and routing was done. LAN1 was able to ping LAN2 instantly. I
mentioned routing since if that part is not done correctly you will
chase your own tail around shorewall and not actual problem.
In hosts file you are setting extra IP''s or subnets you consider
members
of the "Local" network/zone. You can even use public IP''s for
that so
you can have access to the firewall. You are not able to access private
networks (192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8) via internet so
hosts file helps only with access to public IP''s on firewall it self or
public IP''s behind him.
Please not that those 2 rows are just an example, do not just copy them
but read docs for hosts file and set your own rules and options. Other
that this warning, all that is needed are only rules like mine in hosts
file and (of course) rule in policy file that allows zone you used in
hosts files (it dos not *have* to be "loc") to access firewall and
other
zones. Here are my full interfaces, policy, zones and hosts file (from
another server without bridging):
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect
routefilter,blacklist,tcpflags,logmartians,arp_ignore,optional,routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
loc ipv4 #
kvm ipv4 #
net ipv4 #
/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
net net NONE
fw net ACCEPT
fw kvm ACCEPT
loc all ACCEPT
kvm all ACCEPT
net kvm ACCEPT ## Possible security issue since my firewall''s IP is on
that subnet !!!!! YMMV.
net all DROP info
all all REJECT info
Do you see "kvm" zone?
/etc/shorewall/hosts:
#ZONE HOST(S) OPTIONS
loc eth0:192.168.200.0/24 routeback,tcpflags
loc eth0:192.168.219.0/24 routeback,tcpflags
kvm eth0:xxx.yyy.219.88/29 routeback,tcpflags
kvm eth0:aaa.bbb.255.72/29 routeback,tcpflags
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
I used "kvm" zone to separate "loc" zone from public
IP''s of my servers
from whom I want to access and then I set access rights to that zone in
policy file.
"net kvm ACCEPT" stayed when I copied configuration from server with
br0
interface, and I am going to rearrange and further test this, possibly
delete it or restrict it more, but so far www.grc.com port scanner says
I am safe so I will leave it in this example with just warning about it.
That is all I am able to help you with, and I think this is all you need
to accomplish your goal.
Ljubomir
Körtvélyesi Péter wrote:> Hi!
>
> Thanks for your really useful reply Ljubomir!
>
> The situation is that I can''t try these settings out as I will
have an
> exact weekend (out of office hours) to try out those and I have to
> finish that task in time. So I''m just studying the cases now.
>
> I''ve learnt that RV082 routers can''t route traffic
through VPN
>
http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=175
> "How can we configure a static route entry on the RV042 and RV082 to
> route 10.200.128.0 traffic via the tunnel that established? The static
> entries for advanced routing only allows the selection of LAN or WAN.
> As a bonus, it would be great if we could add static route entries to
> the VPN tunnel configuration page. This bonus would only activate the
> route entry if the VPN tunnel was connected."
>
> If VPN tunnel works between the two routers (home setup) the subnet of
> Shorewall''s firewall (LAN1) can''t be reached from LAN1?
> So what to do in that situation? Getting other types of routers?
>
> Or if I set a static route on them not telling anything about VPN is
> good enough? I mean telling VPN2 to have a static route through VPN1 to
> subnet 192.168.2.* and then telling VPN2 to have a static route to LAN1
> through Shorewall FW''s net interface (192.168.2.2) to LAN1
192.168.0.*
> is good enough? Then again how to set SHorewall?
>
> loc br0:192.168.2.0/24 routeback,tcpflags (zone between VPN1 and
Shorewall)
> loc br0:192.168.1.0/24 routeback,tcpflags (VPN2''s LOC2
network)
>
>
> It does everything what I need?
>
> Sure I have to add a static route from FW to VPN2''s LAN2 through
VPN1,
> and from VPN1 to VPN2''s subnet, am I right?
>
> It is not yet clear for me that these settings provide me the ability to
> be able to treat remote LAN2 connecting on net interface to Shorewal as
> a local network.
>
> Any more detailed info is still greatly appreciated!
>
> Thanks very much!
> Peter
>
>
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------------
> Register Now & Save for Velocity, the Web Performance & Operations
> Conference from O''Reilly Media. Velocity features a full day of
> expert-led, hands-on workshops and two days of sessions from industry
> leaders in dedicated Performance & Operations tracks. Use code vel09scf
> and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Register Now & Save for Velocity, the Web Performance & Operations
Conference from O''Reilly Media. Velocity features a full day of
expert-led, hands-on workshops and two days of sessions from industry
leaders in dedicated Performance & Operations tracks. Use code vel09scf
and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf