On 1/28/19 12:53 PM, Alex wrote: > Hi, > >>> $ ping 192.168.11.1 >>> PING 192.168.11.1 (192.168.11.1) 56(84) bytes of data. >>> From 192.168.1.1 icmp_seq=1 Destination Host Unreachable >>> >>> On orion (68.199.193.42): >>> [393874.843186] FORWARD REJECT IN=eth1 OUT=br0 >>> MAC=0c:c4:7a:a9:18:df:4c:ed:fb:bb:47:93:08:00 SRC=192.168.1.7 >>> DST=192.168.11.1 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=47549 DF >>> PROTO=ICMP TYPE=8 CODE=0 ID=26710 SEQ=2258 >>> >> As explained in Shorewall FAQ 17, when packets are dropped/rejected in >> the FORWARD chain, it means that either the SOURCE or the DEST does not >> fall into any zone. In this case, the DEST is not in any zone >> (192.168.11.0/24) does not appear anywhere in the ruleset). > > The 192.168.11.0/24 network is behind the other endpoint (remote) > gateway. I need to have that network listed in the local gateway's > hosts file? How do I determine which interface they should be bound to > in interfaces? br0 is the external interface on the local gateway.
Since the subnet is remote, it should be associated with br0. > > # shorewall show zones > Shorewall 5.2.0.4 Zones at orion.inside.example.com - Mon Jan 28 > 15:53:11 EST 2019 > > fw (firewall) > vpn (ipv4) > ext (ipv4) > br0:0.0.0.0/0 > int (ipv4) > eth1:0.0.0.0/0 > dmz (ipv4) > wyck1 (ipv4) > br0:192.168.11.0/24 > wyck2 (ipv4) > br0:192.168.10.0/24 That shows NO ipsec4 zones! Since you are using Libreswan, your remote and local VPN zones must be of that type. > > I'm also confused on which document I'm supposed to be following. This > one says it was last updated in Jun, 2018, but only references kernel > 2.6. I'm of course using kernel-4.19. I'm assuming I also follow that > document? > http://shorewall.net/VPNBasics.html > > Does any of this configuration change since I'm using libreswan > instead of openvpn? libreswan does not create a tun or ppp interface. > You should be using http://www.shorewall.org/IPSEC-2.6.html The reason that the article mentions kernel 2.6, is that the entire kernel and user space implentation of IPSEC changed in that release. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
