Hello, We have been trying to configure a GRE/IPSEC tunnel between our Fedora 11 firewall (with Shorewall 4.2 and ipsec-tools 0.7.2) and a Cisco firewall. Please note that the use of GRE is NOT optional in our case. I know some might suggest to use some other type of VPN configuration, but we are interfacing with a Cisco firewall belonging to a coporation in Latin America, so we need to use GRE with IPSEC. First, let me tell you a little about our network. Firstly, the internal subnet of our network is 172.27.12.0/24, and the internal subnet of the remote network (with the Cisco firewall) is 172.16.184.0/21. The most difficult thing I have to understand is the following. This is from the Cisco FW: Interface loopbackX Ip address 10.216.91.168 255.255.255.255 interface TunnelX description TUNEL-GRE ip address 172.16.184.1 255.255.248.0 tunnel source LoopbackX tunnel destination 10.15.25.225 end My question is relatively simple: how to I configure the loopback address 10.15.25.225/32 into Shorewall in order to connect with this Cisco FW? IN order to be able configure Shorewall so that the tunnel source is 10.15.25.225/32 and the tunnel destination is 10.216.91.168/32? So here''s the final question: *** How to do configure Shorewall to use looback addresses with GRE as in the above Cisco configuration example? *** Thanks for any assistance you can provide! Many thanks, Jesse L. Zamora ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
Michael Weickel - iQom Business Services GmbH
2011-Mar-25 14:49 UTC
Re: Interfacing with Cisco GRE & IPSEC
First of all its very confusing that your tunnel dst and src on cisco is a RFC1918 address. Those addresses are not routed within the bubble which is commonly known as public internet. Dont mix those addresses up with your subnets considered to be routed WITHIN the tunnel itself. Tunnel src and dst is just outside the tunnel to finally link two gre interfaces together, in your case loopback on cisco and ip on Shorewall. On Shorewall you dont have to put a loopback you can just put an interface native ip and this will be your tunnel end point on Shorewall. GRE on Shorewall is described here (it may help you as well) http://www.shorewall.net/IPIP.htm If your question points not to how to establish a loopback on Shorewall but hwo to tehh Shorewall that ciscos loopback should be used as the other endpoint of tunnel the answer is very simple. Just tell Shorewall the ip of the loopback as its tunnel destination and thats it. Shorewall ofc doesnt care whether its a virtual or physical ip on the other side, its just routing nothing else. I hope I was able to help a bit Cheers Michael -----Ursprüngliche Nachricht----- Von: Jesse L. Zamora [mailto:xtremekforever@gmail.com] Gesendet: Freitag, 25. März 2011 13:34 An: shorewall-users@lists.sourceforge.net Betreff: [Shorewall-users] Interfacing with Cisco GRE & IPSEC Hello, We have been trying to configure a GRE/IPSEC tunnel between our Fedora 11 firewall (with Shorewall 4.2 and ipsec-tools 0.7.2) and a Cisco firewall. Please note that the use of GRE is NOT optional in our case. I know some might suggest to use some other type of VPN configuration, but we are interfacing with a Cisco firewall belonging to a coporation in Latin America, so we need to use GRE with IPSEC. First, let me tell you a little about our network. Firstly, the internal subnet of our network is 172.27.12.0/24, and the internal subnet of the remote network (with the Cisco firewall) is 172.16.184.0/21. The most difficult thing I have to understand is the following. This is from the Cisco FW: Interface loopbackX Ip address 10.216.91.168 255.255.255.255 interface TunnelX description TUNEL-GRE ip address 172.16.184.1 255.255.248.0 tunnel source LoopbackX tunnel destination 10.15.25.225 end My question is relatively simple: how to I configure the loopback address 10.15.25.225/32 into Shorewall in order to connect with this Cisco FW? IN order to be able configure Shorewall so that the tunnel source is 10.15.25.225/32 and the tunnel destination is 10.216.91.168/32? So here''s the final question: *** How to do configure Shorewall to use looback addresses with GRE as in the above Cisco configuration example? *** Thanks for any assistance you can provide! Many thanks, Jesse L. Zamora ---------------------------------------------------------------------------- -- Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
Hello, Thank you so much for the reply. That most definitely clears up some questions!! I think the reason that they use internal IPs is that the GRE data is encapsulated in an IPSEC tunnel. So I guess I could specify a virtual local and remote interfaces in /etc/shorewall/tunnel like so: tunnel="mygre" myrealip="69.69.18.20" myip="172.27.12.1" hisip="10.216.91.168" gateway="200.39.21.10" subnet="172.16.184.0/21" This should work with the Cisco configuration, right? I''m still unsure about whether to use 172.27.12.1 (the IP of internal network interfaces on my firewall) or 10.15.25.225 (the IP the Cisco has configured as it''s tunnel destination) as the myip parameter, since after all the Cisco configuration doesn''t use my IP address. Here is the configuration I have in Shorewall: /etc/shorewall/interfaces: vpn mygre 255.255.255.255 /etc/shorewall/hosts: vpn mygre:200.39.21.10 ipsec /etc/shorewall/tunnels: # GRE Tunnel gre vpn 200.39.21.10 # IPSEC Tunnel ipsec vpn 200.39.21.10 Question: Would I need to specify the internal subnet of the Cisco router in /etc/shorewall/hosts as well? Also, having the gre and ipsec tunnels on the same gateway IP SHOULD cause the GRE packets to be encrypted with IPSEC, right? Just to double check this.... Thanks again, Jesse L. Zamora On Friday, March 25, 2011 10:49:04 Michael Weickel - iQom Business Services GmbH wrote:> First of all its very confusing that your tunnel dst and src on cisco is a > RFC1918 address. Those addresses are not routed within the bubble which is > commonly known as public internet. Dont mix those addresses up with your > subnets considered to be routed WITHIN the tunnel itself. Tunnel src and > dst is just outside the tunnel to finally link two gre interfaces > together, in your case loopback on cisco and ip on Shorewall. On Shorewall > you dont have to put a loopback you can just put an interface native ip > and this will be your tunnel end point on Shorewall. > > GRE on Shorewall is described here (it may help you as well) > > http://www.shorewall.net/IPIP.htm > > If your question points not to how to establish a loopback on Shorewall but > hwo to tehh Shorewall that ciscos loopback should be used as the other > endpoint of tunnel the answer is very simple. Just tell Shorewall the ip of > the loopback as its tunnel destination and thats it. Shorewall ofc doesnt > care whether its a virtual or physical ip on the other side, its just > routing nothing else. > > I hope I was able to help a bit > > Cheers > Michael > > > -----Ursprüngliche Nachricht----- > Von: Jesse L. Zamora [mailto:xtremekforever@gmail.com] > Gesendet: Freitag, 25. März 2011 13:34 > An: shorewall-users@lists.sourceforge.net > Betreff: [Shorewall-users] Interfacing with Cisco GRE & IPSEC > > Hello, > > We have been trying to configure a GRE/IPSEC tunnel between our Fedora 11 > firewall (with Shorewall 4.2 and ipsec-tools 0.7.2) and a Cisco firewall. > > Please note that the use of GRE is NOT optional in our case. I know some > might > suggest to use some other type of VPN configuration, but we are interfacing > with a Cisco firewall belonging to a coporation in Latin America, so we > need > > to use GRE with IPSEC. > > First, let me tell you a little about our network. Firstly, the internal > subnet of our network is 172.27.12.0/24, and the internal subnet of the > remote > network (with the Cisco firewall) is 172.16.184.0/21. > > The most difficult thing I have to understand is the following. This is > from > > the Cisco FW: > > Interface loopbackX > Ip address 10.216.91.168 255.255.255.255 > > interface TunnelX > description TUNEL-GRE > ip address 172.16.184.1 255.255.248.0 > tunnel source LoopbackX > tunnel destination 10.15.25.225 > end > > My question is relatively simple: how to I configure the loopback address > 10.15.25.225/32 into Shorewall in order to connect with this Cisco FW? IN > order to be able configure Shorewall so that the tunnel source is > 10.15.25.225/32 and the tunnel destination is 10.216.91.168/32? > > So here''s the final question: > > *** How to do configure Shorewall to use looback addresses with GRE as in > the > above Cisco configuration example? *** > > Thanks for any assistance you can provide! > > Many thanks, > Jesse L. Zamora > > --------------------------------------------------------------------------- > - -- > Enable your software for Intel(R) Active Management Technology to meet the > growing manageability and security demands of your customers. Businesses > are taking advantage of Intel(R) vPro (TM) technology - will your software > be a part of the solution? Download the Intel(R) Manageability Checker > today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > --------------------------------------------------------------------------- > --- Enable your software for Intel(R) Active Management Technology to meet > the growing manageability and security demands of your customers. > Businesses are taking advantage of Intel(R) vPro (TM) technology - will > your software be a part of the solution? Download the Intel(R) > Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------------ Enable your software for Intel(R) Active Management Technology to meet the growing manageability and security demands of your customers. Businesses are taking advantage of Intel(R) vPro (TM) technology - will your software be a part of the solution? Download the Intel(R) Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar