http://www.shorewall.net/IPSEC-2.6.html#GwFw I''m trying to set up a test of this, though a little less complex on the ipsec side (manual keys, no racoon, only ESP on the tunneled traffic between the private networks). I think I''ve screwed something up, but I''ll ask a stupid question first. Once I''ve done thing things on that page, should there automatically be a route created on each shorewall box to send traffic between the two private networks? Will NULL_ROUTE_RFC1918=Yes affect things? Thanks, Brad C ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On 7/28/10 4:55 PM, Brad Clarke wrote:> http://www.shorewall.net/IPSEC-2.6.html#GwFw > > I''m trying to set up a test of this, though a little less complex on > the ipsec side (manual keys, no racoon, only ESP on the tunneled > traffic between the private networks). I think I''ve screwed something > up, but I''ll ask a stupid question first. > > Once I''ve done thing things on that page, should there automatically > be a route created on each shorewall box to send traffic between the > two private networks?No.> Will NULL_ROUTE_RFC1918=Yes affect things?Only if you are trying to tunnel traffic to a remote RFC 1918 network. In that case, NULL_ROUTE_RFC1918 will break your configuration unless you add a static route to the remote network via your firewall''s default gateway. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm
On Wed, Jul 28, 2010 at 7:03 PM, Tom Eastep <teastep@shorewall.net> wrote:> On 7/28/10 4:55 PM, Brad Clarke wrote: >> http://www.shorewall.net/IPSEC-2.6.html#GwFw >> >> I''m trying to set up a test of this, though a little less complex on >> the ipsec side (manual keys, no racoon, only ESP on the tunneled >> traffic between the private networks). I think I''ve screwed something >> up, but I''ll ask a stupid question first. >> >> Once I''ve done thing things on that page, should there automatically >> be a route created on each shorewall box to send traffic between the >> two private networks? > > No. > >> Will NULL_ROUTE_RFC1918=Yes affect things? > > Only if you are trying to tunnel traffic to a remote RFC 1918 network. > In that case, NULL_ROUTE_RFC1918 will break your configuration unless > you add a static route to the remote network via your firewall''s default > gateway. > > -TomTurns out it was a little of both: I had typed the wrong IP for one of my gateways in a lot of places and NULL_ROUTE_RFC1918 was causing problems. An "ip route add" of the required routes in /etc/shorewall/init and "ip route del" in /etc/shorewall/clear seems to handle it. Thanks for the help, Brad C ------------------------------------------------------------------------------ The Palm PDK Hot Apps Program offers developers who use the Plug-In Development Kit to bring their C/C++ apps to Palm for a share of $1 Million in cash or HP Products. Visit us here for more details: http://p.sf.net/sfu/dev2dev-palm