[Openswan Users] Problems with OpenSwan, Shorewall and NATting
No body is Perfect
moretti at labor-enders.de
Fri Nov 17 10:21:30 EST 2006
Hi!
read http://www.shorewall.net/VPNBasics.html but before read
http://www.shorewall.net/Multiple_Zones.html (for nested und parallel Zones)
"Davide Ferrari" <davide.ferrari at atrapalo.com> schrieb im Newsbeitrag
news:200611171319.14000.davide.ferrari at atrapalo.com...
> Hi
>
> I'm trying to establish a vpn tunnel between a Linux firewall (2.6.17 and
> openswan 2.4.4) and a remote Cisco VPN3000.
>
> Til now, i've managed to get openswan configured and correctly bringing up
> a
> tunnel with the remote Cisco concentrator.
>
> LEGEND:
> XXX.XXX.XXX.XXX = local public IP address
> YYY.YYY.YYY.YYY = remote public IP address
>
> This is the output of ipsec auto --status
>
> 000 #2: "my-tunnel":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
> EVENT_SA_REPLACE in 26855s; newest IPSEC; eroute owner
> 000 #2: "my-tunnel" esp.607e0b4c at YYY.YYY.YYY.YYY
> esp.d0fe092 at XXX.XXX.XXX.XXX
> tun.0 at YYY.YYY.YYY.YYY tun.0 at XXX.XXX.XXX.XXX
> 000 #1: "my-tunnel":500 STATE_MAIN_I4 (ISAKMP SA established);
> EVENT_SA_REPLACE in 84745s; newest ISAKMP; lastdpd=7s(seq in:25141 out:0)
>
> anyway, this is my ipsec.conf
>
> conn my-tunnel
> type= tunnel
> left= XXX.XXX.XXX.XXX #
> leftsubnet= 172.23.92.13/32 #
> leftsourceip= 172.23.92.13 #
> right= YYY.YYY.YYY.YYY #
> rightsubnet= 7.2.1.0/24 #
> authby= secret #
> esp= 3des-sha1-96 #
> #ah= hmac-sha1-96 #
> keyexchange= ike
> ikelifetime= 24h #
> keylife= 8h #
> dpddelay= 10 #
> pfs= no
> auto= start
>
> ** ip addr show
> 2: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
> 1000
> link/ether 00:02:b3:3b:36:b3 brd ff:ff:ff:ff:ff:ff
> inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
> 3: eth1: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen
> 1000
> link/ether 00:02:b3:c2:0c:bc brd ff:ff:ff:ff:ff:ff
> inet XXX.XXX.XXX.XXX/24 brd 80.34.171.255 scope global eth1
> inet 172.23.92.13/32 scope global eth1
>
> ** ip route show
> XXX.XXX.XXX.0/24 dev eth1 proto kernel scope link src XXX.XXX.XXX.XXX
> 192.168.3.0/24 dev eth3 proto kernel scope link src 192.168.3.1
> 192.168.2.0/24 dev eth2 proto kernel scope link src 192.168.2.1
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1
> 127.0.0.0/8 dev lo scope link
> default via XXX.XXX.XXX.1 dev eth1
>
> this is my conf in shorewall:
>
> ** zones:
> fw firewall
> net ipv4
> loc ipv4
> vpn ipsec
>
> ** interfaces
> loc eth0 detect
> net eth1 detect
>
> ** hosts:
> vpn eth1:7.2.1.0/24,YYY.YYY.YYY.YYY ipsec
>
> ** tunnels
> ipsec net YYY.YYY.YYY.YYY vpn
>
> ** zones
> ACCEPT loc vpn tcp
> 8050
> (I have to connect to a remote server on this port)
>
> note:
> the "fw" zone has everything opened to the "net" zone.
>
> ** nat
> 172.23.92.13 eth1 192.168.1.220
>
>
> the last file is "nat" and I use it cause my idea is that all the traffic
> that
> goes from 192.168.1.220 and points to a vpn address (7.2.1.0/24) should
> pass
> through the vpn.
> And this works (pings, telnets etc) BUT there is a huge problem: shorewall
> considers all the traffic coming from 192.168.1.220 to 7.2.1.0/24 has to
> obey
> the "net" zone rules, not the "vpn" zone ones.
> Moreover, 192.168.1.220 cannot go through the *real* "net" zone (the
> internet).
> I'm assuming there is some routing problem but I cannot get it...and why
> shorewall does consider the remote vpn address as a "net" address for the
> NATted local IP?
>
> Thanks in advance
>
> --
> Davide Ferrari
> System Administrator
> http://www.atrapalo.com
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list