Shorewall users - Jun 2009 - (no subject)

shorewall docs say to add these netowrks which confuses me in net map?
More so that the two 10.10.11 and 10.10.10 are different networks. 

SNAT  192.168.1.0/24 vpn              10.10.11.0/24        #RULE 1A
DNAT  10.10.11.0/24  vpn              192.168.1.0/24       #RULE 1B 
The entry in /etc/shorewall/netmap in firewall2 would be:

#TYPE NET1           INTERFACE        NET2
DNAT  10.10.10.0/24  vpn              192.168.1.0/24       #RULE 2A
SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B
Not quite sure how this works and which route commands to use for openvpn
All software is the latest ie: shorewall openvpn 
server box fedora 2
c;lient suse 11.1
I have spent hours trying to find examples and posts found this. I see it was
put in shorewall years
ago. I have a need to build this as temp solution until I can fix layer2 bridges
at this network
and the logistics require using same lan ip networks on both sides of the tunnel
until I
can get the wireless bridges back up.
Not quite sure of the route commands to use to get this working. has anyone else
had to use this?
I see hardly any posts in shorewall on how to accomplish this? I have came up
with what I
think the open vpn configs below.

Thanks
Mike

-------------------------------------------------
client
dev tun
proto udp

remote 66.224.100.190 1194

ifconfig 172.16.1.2 172.16.1.1
;route 10.3.85.0 255.255.255.0
route add -host 10.3.85..20  tun0  --this is server side lan ip
resolv-retry infinite
nobind

persist-key
persist-tun

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client1.crt
key /etc/openvpn/keys/client1.key

tls-auth /etc/openvpn/keys/ta.key 1
cipher BF-CBC

status /var/log/openvpn-status.log
log-append /var/log/openvpn.log

comp-lzo
verb 4

server -----------------------------------

And this is my server.conf file:

local 66.224.100.190
ifconfig 172.16.1.1 172.16.1.2

port 1194
proto udp

dev tun
daemon

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

server 172.16.1.0 255.255.255.0
ifconfig-pool-persist ipp.txt

push "dhcp-option DNS 4.2.2.2"

keepalive 10 120

tls-auth /etc/openvpn/keys/ta.key 0

cipher BF-CBC
comp-lzo
max-clients 25
user nobody
group nobody
persist-key
persist-tun

status /var/log/openvpn-status.log

log-append /var/log/openvpn.log
verb 4
mute 20

 


------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects

Hi Mike,

Mike Lander wrote:
> 
> shorewall docs say to add these netowrks which confuses me in net map?
> More so that the two 10.10.11 and 10.10.10 are different networks.
> 
> SNAT  192.168.1.0/24 vpn              10.10.11.0/24        #RULE 1A
> DNAT  10.10.11.0/24  vpn              192.168.1.0/24       #RULE 1B
> The entry in /etc/shorewall/netmap in firewall2 would be:
> 
> #TYPE NET1           INTERFACE        NET2
> DNAT  10.10.10.0/24  vpn              192.168.1.0/24       #RULE 2A
> SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B
> Not quite sure how this works
In network1, 10.10.10.0/24 is used as a substitute for the remote
192.168.1.0/24.

In network2, 10.10.11.0/24 is used as a substitute for the remote
192.168.1.0/24.

 and which route commands to use for openvpn

On network1, you want to route 10.10.10.0/24 through the tunnel.
On network2, you want to route 10.10.11.0/24 through the tunnel.
> All software is the latest ie: shorewall openvpn
> server box fedora 2
> c;lient suse 11.1
> I have spent hours trying to find examples and posts found this. I see
> it was put in shorewall years
> ago. I have a need to build this as temp solution until I can fix layer2
> bridges at this network
> and the logistics require using same lan ip networks on both sides of
> the tunnel until I
> can get the wireless bridges back up.
> Not quite sure of the route commands to use to get this working. has
> anyone else had to use this?
Not I. I got it working back when I implemented the code and haven''t
touched it since.
> I see hardly any posts in shorewall on how to accomplish this? I have
> came up with what I
> think the open vpn configs below.
> 
Just use a conventional host-host VPN config. You then select a pair of
networks you plan to use for the surrogate on each end.

Let''s say that you want to use 10.10.10.0/24 on the client end and
10.10.11.0/24 on the server end.

What I would do is use a CCD (client config dir) on the server and in
the client''s ccd file, I would:

route 10.10.11.0 255.255.255.0
push route 10.10.10.0 255.255.255.0

Hope this helps,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing 
server and web deployment.
http://p.sf.net/sfu/businessobjects