Shorewall users - Jul 2010 - ipsec with snat not working for me. can someone help me?

hi,
i try to real all kind of documentation, but still not able to setup
properly my network.
we''ve got a firewall which has:
- eth1 network interface public ip address a.b.c.d
- eth0 lan 172.22.80.1/24
- tun0 openvpn server''s interface running on this firewall
192.168.255.1/24

at the same time on this fierwall there is an ipsec tunnel to remote
gateway x.y.z.w. behind the remote rateway there are a dozens of network
which are all accessed through this ipsec tunnel. we use openswan for
the ipsec. the ipsec tunnel working when we try to access from the lan
(172.22.80.0/24), but unfortunately the remore cisco gateway configured
to only allow host from this lan to access to the remote networks. but
we''d like to access from our vpn network too. so i assume i can
snat/masq on the firewall from 192.168.255.0/24 to 172.22.80.1 and then
it''ll work. but i''m not able to make it work. ie when i try to
ping from
192.168.255.1 to any remote address then the icmp packets goes out on
eth1 _without_ ipsec put it into the tunnel.
i read in shorewall''s ipsec howto:
-----------------------------------
"In /etc/shorewall/masq, traffic that will later be encrypted is
exempted from MASQUERADE/SNAT using existing entries. If you want to
MASQUERADE/SNAT outgoing traffic that will later be encrypted, you must
include the appropriate indication in the new IPSEC column in that file."
-----------------------------------
but what does it means? i put into my masq file:
-----------------------------------
$NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel
-----------------------------------
but try many others. none of them working. what should i''ve to write
into this file in order to be able masq all traffic from the vpn network
to the remote network to my lan interface''s address?
thanks in advance.
regards.

-- 
  Levente                               "Si vis pacem para bellum!"

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/17/10 8:54 AM, Farkas Levente wrote:
> but what does it means?
It means that column is not relevant to your problem - LEAVE IT EMPTY.

 i put into my masq file:
> -----------------------------------
> $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel
> -----------------------------------
> but try many others. none of them working. what should i''ve to
write
> into this file in order to be able masq all traffic from the vpn network
> to the remote network to my lan interface''s address?
How could we possibly know? You show us a bunch of shell variables but
don''t tell us what their values are? As always when there is a
connection problem, I don''t want to see configuration file contents; I
want to see the output of ''shorewall dump''.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

On 7/17/10 5:54 PM, Tom Eastep wrote:
> On 7/17/10 8:54 AM, Farkas Levente wrote:
> 
>> but what does it means?
> 
> It means that column is not relevant to your problem - LEAVE IT EMPTY.
> 
>  i put into my masq file:
>> -----------------------------------
>> $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel
>> -----------------------------------
>> but try many others. none of them working. what should i''ve to
write
>> into this file in order to be able masq all traffic from the vpn
network
>> to the remote network to my lan interface''s address?
> 
> How could we possibly know? You show us a bunch of shell variables but
> don''t tell us what their values are? As always when there is a
> connection problem, I don''t want to see configuration file
contents; I
> want to see the output of ''shorewall dump''.
Basically, you must construct a rule that will give the packets a source
IP address that is covered by your security policies.

Beware, however, that I have been working with another Shorewall user
(Brian Murrell) who is trying to do a similar thing and we are finding
that return packets are being mysteriously dropped in
pre-routing/routing (they are going through the mangle PREROUTING chain
but are not reaching either the FORWARD or INPUT chains). So I can''t
guarantee that you will find any solution to this problem.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first