[Openswan Users] SuSE 9.2 tunneling 2 LANS
Ludwig Nussel
ludwig.nussel at suse.de
Thu Mar 10 10:30:32 CET 2005
Tom Reijnders wrote:
> I solved my problems. I was strugling with the way ipsec is implemented in
> 6.2 and how to get the firewall (SuSEfirewall2) to handle it properly.
>
> In the end, it all boiled down that to firewall configuration problems.
>
> - On the linux gateway I added:
> leftsourceip= < LAN ip address>
>
> (Or you hav to set up a second tunnel to allow traffic from the public IP
> address to the other LAN)
> All this is necessary because of the way masquerading kicks in now.
>
> In the firewall (SuSEfirewall2) I had to (besides allowing the normal isakmp,
> esp, ah settings) set the TRUST_IPSEC to int and ALLOW_CLASS_ROUTING to true.
Keep in mind that ALLOW_CLASS_ROUTING affects all zones so if you
have e.g. two external zones you probably don't want to set that.
If your two networks are 10.10.0.0/16 and 192.168.1.0/24 something
like this might work as well:
FW_FORWARD="10.10.0.0/16,192.168.1.0/24,,,ipsec 192.168.1.0/24,10.10.0.0/16,,,ipsec"
FW_MASQ_NETS="0/0,!192.168.1.0/24
(You still need to set FW_IPSEC_TRUST to something so that the ipsec
flag actually works as expected)
cu
Ludwig
--
(o_ Ludwig Nussel
//\ SUSE LINUX Products GmbH, Development
V_/_ http://www.suse.de/
More information about the Users
mailing list