On 10/12/2018 05:20 PM, Alex wrote: > Hi, > > I'm running shorewall-5.2.0.4 on fedora28 and using it with > libreswan-3.27. I'm trying to build a net-to-net VPN as well as a > host-to-host VPN using libreswan and trying to figure out the best way > to protect them using shorewall. > > Both VPNs originate from our main external gateway, 68.195.192.42 > (orion). Our local network, 192.168.1.0/24 is behind it, currently > being masqueraded using shorewall and iptables. > > I'd like to build the net-to-net VPN to 65.46.71.6 (cyclops) and the > host-to-host VPN to 107.154.66.2 (arcade). > > I've defined four zones: > fw - firewall > ext - external (ipv4) > int - internal LAN (ipv4) > vpn - ipsec > > I don't believe my tunnels are set up correctly, though. There are > still rejects from the remote firewall in the logs: > > [173907.906648] ext-fw REJECT IN=br0 OUT= > MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=65.46.71.6 > DST=68.195.192.42 LEN=628 TOS=0x00 PREC=0x00 TTL=52 ID=190 DF > PROTO=UDP SPT=500 DPT=500 LEN=608 > > Is this being caused by an incorrect policy? Should it be necessary to > have individual rules allowing esp and UDP 500, or is that what the > ipsec designation is for in the zones file? > > I'm trying to follow the IPSEC-2.6.html page and it's confusing. It > never explicitly states what the 'loc' and 'net' zones actually are, > and it appears to contradict itself with regards to the zone file. > > It would be helpful if the full configuration was provided in the > "IPsec Gateway on the Firewall System" example. > > Here is the configuration I've set on our local side (orion). The > remote side (cyclops) is just a simple iptables firewall. I'm hoping > someone can review and give me an idea of why it's failing. > > tunnels: > ipsec vpn 65.46.71.6
This should be: ipsec ext 64.46.71.6 -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
