Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices
Hi Fellas, What I'm trying to do is create a Shorewall configuration in our data centre to which branch offices can connect using a standard router and an IPsec tunnel. The on-premise router then sends ALL their traffic over the tunnel so that connectivity to the Internet (and the other branches) is managed centrally. Tom and I got so far but it seems that the packets coming from the branch sites don't get NAT'd by Shorewall/Linux at the DC. The host simply puts them onto the Internet interface as if they were from an internal IP address. It feels like it's close to working but we just need one final act of brilliance to get it sorted. I've attached the files Bill asked for. Cheers Jason. -Original Message- From: Bill Shirley [mailto:b...@ultrapoly.polymerindustries.biz] Sent: 03 October 2017 17:25 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices Post your Shorewall config files. zones interfaces hosts tunnels snat I've found running conntrack is sometimes helpful in diagnosing problems. 'conntrack -L 2>&1 | grep 10.1.4.41' Bill On 10/3/2017 5:37 AM, Jason Timmins wrote: > Hi Tom, > > That's a shame. Are you thinking that others on the Shorewall mailing list > might be able to help? > > We're looking to connect remote sites to a central Shorewall-based firewall > and have their Internet traffic pass via that server (rather than going > direct.) However, Tom and I can't figure-out why traffic from the IPsec > tunnels isn't being NAT'd by the firewall. Anyone else got any ideas? > > Cheers > Jason. > > -Original Message- > From: Tom Eastep [mailto:teas...@shorewall.net] > Sent: 02 October 2017 17:11 > To: Jason Timmins <ja...@mbmltd.co.uk> > Cc: Shorewall Users <shorewall-users@lists.sourceforge.net> > Subject: Re: FW: [Shorewall-users] IPsec Tunnel as Default Gateway for > Branch Offices > > On 10/01/2017 01:27 PM, Jason Timmins wrote: >> Hi Tom, >> >> This trace file is a bit longer than I'd have liked but you should be able >> to find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. >> > Okay -- you have no IPSEC policy covering these packets. What appears to be > happening is that once they get through the routing stage of the IP stack > flow, they are no longer processed by Netfilter (possibly because they match > neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my > attempts to produce a working IPSEC policy configuration for this case have > all failed. > > Regards, > > -Tom -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users zones Description: zones interfaces Description: interfaces hosts Description: hosts tunnels Description: tunnels snat Description: snat -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices
Post your Shorewall config files. zones interfaces hosts tunnels snat I've found running conntrack is sometimes helpful in diagnosing problems. 'conntrack -L 2>&1 | grep 10.1.4.41' Bill On 10/3/2017 5:37 AM, Jason Timmins wrote: Hi Tom, That's a shame. Are you thinking that others on the Shorewall mailing list might be able to help? We're looking to connect remote sites to a central Shorewall-based firewall and have their Internet traffic pass via that server (rather than going direct.) However, Tom and I can't figure-out why traffic from the IPsec tunnels isn't being NAT'd by the firewall. Anyone else got any ideas? Cheers Jason. -Original Message- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: 02 October 2017 17:11 To: Jason Timmins <ja...@mbmltd.co.uk> Cc: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: FW: [Shorewall-users] IPsec Tunnel as Default Gateway for Branch Offices On 10/01/2017 01:27 PM, Jason Timmins wrote: Hi Tom, This trace file is a bit longer than I'd have liked but you should be able to find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. Okay -- you have no IPSEC policy covering these packets. What appears to be happening is that once they get through the routing stage of the IP stack flow, they are no longer processed by Netfilter (possibly because they match neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my attempts to produce a working IPSEC policy configuration for this case have all failed. Regards, -Tom -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices
Hi Jason, There is an article at https://libreswan.org/wiki/Subnet_extrusion that discusses this configuration. The solution is expressed in *Swan syntax; the basic features are: - Both the left and right subnets are 0.0.0.0/0. - On the responder side, a 'passthrough' policy is added to allow VPN access to the local LAN(s). Hope that helps, -Tom On 10/03/2017 02:37 AM, Jason Timmins wrote: > Hi Tom, > > That's a shame. Are you thinking that others on the Shorewall mailing list > might be able to help? > > We're looking to connect remote sites to a central Shorewall-based firewall > and have their Internet traffic pass via that server (rather than going > direct.) However, Tom and I can't figure-out why traffic from the IPsec > tunnels isn't being NAT'd by the firewall. Anyone else got any ideas? > > Cheers > Jason. > > -Original Message- > From: Tom Eastep [mailto:teas...@shorewall.net] > Sent: 02 October 2017 17:11 > To: Jason Timmins <ja...@mbmltd.co.uk> > Cc: Shorewall Users <shorewall-users@lists.sourceforge.net> > Subject: Re: FW: [Shorewall-users] IPsec Tunnel as Default Gateway for Branch > Offices > > On 10/01/2017 01:27 PM, Jason Timmins wrote: >> Hi Tom, >> >> This trace file is a bit longer than I'd have liked but you should be able >> to find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. >> > > Okay -- you have no IPSEC policy covering these packets. What appears to be > happening is that once they get through the routing stage of the IP stack > flow, they are no longer processed by Netfilter (possibly because they match > neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my > attempts to produce a working IPSEC policy configuration for this case have > all failed. > > Regards, > > -Tom > -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices
Hi Tom, That's a shame. Are you thinking that others on the Shorewall mailing list might be able to help? We're looking to connect remote sites to a central Shorewall-based firewall and have their Internet traffic pass via that server (rather than going direct.) However, Tom and I can't figure-out why traffic from the IPsec tunnels isn't being NAT'd by the firewall. Anyone else got any ideas? Cheers Jason. -Original Message- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: 02 October 2017 17:11 To: Jason Timmins <ja...@mbmltd.co.uk> Cc: Shorewall Users <shorewall-users@lists.sourceforge.net> Subject: Re: FW: [Shorewall-users] IPsec Tunnel as Default Gateway for Branch Offices On 10/01/2017 01:27 PM, Jason Timmins wrote: > Hi Tom, > > This trace file is a bit longer than I'd have liked but you should be able to > find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. > Okay -- you have no IPSEC policy covering these packets. What appears to be happening is that once they get through the routing stage of the IP stack flow, they are no longer processed by Netfilter (possibly because they match neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my attempts to produce a working IPSEC policy configuration for this case have all failed. Regards, -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Re: [Shorewall-users] FW: IPsec Tunnel as Default Gateway for Branch Offices
On 10/01/2017 01:27 PM, Jason Timmins wrote: > Hi Tom, > > This trace file is a bit longer than I'd have liked but you should be able to > find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. > Okay -- you have no IPSEC policy covering these packets. What appears to be happening is that once they get through the routing stage of the IP stack flow, they are no longer processed by Netfilter (possibly because they match neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my attempts to produce a working IPSEC policy configuration for this case have all failed. Regards, -Tom -- Tom Eastep\ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \___ signature.asc Description: OpenPGP digital signature -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users