[Openswan Users] Problems with OpenSwan, Shorewall and NATting

Davide Ferrari davide.ferrari at atrapalo.com
Fri Nov 17 07:19:13 EST 2006


I'm trying to establish a vpn tunnel between a Linux firewall (2.6.17 and 
openswan 2.4.4) and a remote Cisco VPN3000.

Til now, i've managed to get openswan configured and correctly bringing up a 
tunnel with the remote Cisco concentrator.

XXX.XXX.XXX.XXX = local public IP address 
YYY.YYY.YYY.YYY = remote public IP address

This is the output of ipsec auto --status

000 #2: "my-tunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); 
EVENT_SA_REPLACE in 26855s; newest IPSEC; eroute owner
000 #2: "my-tunnel" esp.607e0b4c at YYY.YYY.YYY.YYY esp.d0fe092 at XXX.XXX.XXX.XXX 
tun.0 at YYY.YYY.YYY.YYY tun.0 at XXX.XXX.XXX.XXX
000 #1: "my-tunnel":500 STATE_MAIN_I4 (ISAKMP SA established); 
EVENT_SA_REPLACE in 84745s; newest ISAKMP; lastdpd=7s(seq in:25141 out:0)

anyway, this is my ipsec.conf

conn my-tunnel
       type=           tunnel
       left=           XXX.XXX.XXX.XXX   #
       leftsubnet=  #
       leftsourceip=  #
       right=          YYY.YYY.YYY.YYY  #
       rightsubnet=      #
       authby=         secret  #
       esp=            3des-sha1-96    #
       #ah=             hmac-sha1-96    #
       keyexchange=    ike
       ikelifetime=    24h      #
       keylife=        8h     #
       dpddelay=       10      #
       pfs=            no
       auto=           start

** ip addr show
2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:3b:36:b3 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:02:b3:c2:0c:bc brd ff:ff:ff:ff:ff:ff
    inet XXX.XXX.XXX.XXX/24 brd scope global eth1
    inet scope global eth1

** ip route show
XXX.XXX.XXX.0/24 dev eth1  proto kernel  scope link  src XXX.XXX.XXX.XXX dev eth3  proto kernel  scope link  src dev eth2  proto kernel  scope link  src dev eth0  proto kernel  scope link  src dev lo  scope link
default via XXX.XXX.XXX.1 dev eth1

this is my conf in shorewall:

** zones:
fw      firewall
net     ipv4
loc     ipv4
vpn     ipsec

** interfaces
loc     eth0            detect
net     eth1            detect

** hosts:
vpn     eth1:,YYY.YYY.YYY.YYY          ipsec

** tunnels
ipsec                   net     YYY.YYY.YYY.YYY  vpn

** zones
ACCEPT          loc                     vpn                     tcp     8050
(I have to connect to a remote server on this port)

the "fw" zone has everything opened to the "net" zone.

** nat    eth1  

the last file is "nat" and I use it cause my idea is that all the traffic that 
goes from and points to a vpn address ( should pass 
through the vpn.
And this works (pings, telnets etc) BUT there is a huge problem: shorewall 
considers all the traffic coming from to has to obey  
the "net" zone rules, not the "vpn" zone ones.
Moreover, cannot go through the *real* "net" zone (the 
I'm assuming there is some routing problem but I cannot get it...and why 
shorewall does consider the remote vpn address as a "net" address for the 
NATted local IP?

Thanks in advance

Davide Ferrari
System Administrator

More information about the Users mailing list