Hi, I'm running shorewall-5.2.0.4 on fedora28 and using it with libreswan-3.27. I'm trying to build a net-to-net VPN as well as a host-to-host VPN using libreswan and trying to figure out the best way to protect them using shorewall.
Both VPNs originate from our main external gateway, 68.195.192.42 (orion). Our local network, 192.168.1.0/24 is behind it, currently being masqueraded using shorewall and iptables. I'd like to build the net-to-net VPN to 65.46.71.6 (cyclops) and the host-to-host VPN to 107.154.66.2 (arcade). I've defined four zones: fw - firewall ext - external (ipv4) int - internal LAN (ipv4) vpn - ipsec I don't believe my tunnels are set up correctly, though. There are still rejects from the remote firewall in the logs: [173907.906648] ext-fw REJECT IN=br0 OUT= MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=65.46.71.6 DST=68.195.192.42 LEN=628 TOS=0x00 PREC=0x00 TTL=52 ID=190 DF PROTO=UDP SPT=500 DPT=500 LEN=608 Is this being caused by an incorrect policy? Should it be necessary to have individual rules allowing esp and UDP 500, or is that what the ipsec designation is for in the zones file? I'm trying to follow the IPSEC-2.6.html page and it's confusing. It never explicitly states what the 'loc' and 'net' zones actually are, and it appears to contradict itself with regards to the zone file. It would be helpful if the full configuration was provided in the "IPsec Gateway on the Firewall System" example. Here is the configuration I've set on our local side (orion). The remote side (cyclops) is just a simple iptables firewall. I'm hoping someone can review and give me an idea of why it's failing. tunnels: ipsec vpn 65.46.71.6 interfaces: ext br0 detect tcpflags,nosmurfs,routefilter,logmartians int eth1 detect tcpflags,nosmurfs,routefilter,logmartians,routeback zones: fw (firewall) vpn (ipsec4) br0:65.46.71.6,107.155.66.2 ext (ipv4) br0:0.0.0.0/0 int (ipv4) eth1:0.0.0.0/0 /etc/shorewall/zones: fw firewall vpn ipsec mode=tunnel mss=1400 ext ipv4 int ipv4 hosts: vpn br0:65.46.71.6,107.154.66.2 ipsec policy: fw => vpn ACCEPT using chain fw-vpn fw => ext ACCEPT fw => int ACCEPT using chain fw-int vpn => fw ACCEPT using chain vpn-fw vpn => ext REJECT using chain vpn-ext vpn => int ACCEPT using chain vpn-int ext => fw REJECT using chain ext-fw ext => vpn REJECT using chain ext-vpn ext => int REJECT using chain ext-int int => fw ACCEPT using chain int-fw int => vpn ACCEPT using chain int-vpn int => ext ACCEPT using chain int-ext int => int ACCEPT using chain int-int _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
