Well, it wasn't too difficult, it is running right now, and added masq from
the remote site through this host in just 5 minutes.  The problem I've found
is the policy match that Shorewall is adding to the interface's zone chain
rules "policy match dir in pol none" (eg. rule 2 in vlan4_in) lets ESP
through, then blocks the GRE but never gets stripped to the raw data packets
because it is rejected.
 
If I add -- like you see below -- the 3rd rule everything works great; ESP
gets in through rule 2 and once in inet2fw there gets accepted by rule 3.
GRE then gets pulled from the ESP and gets through vpn4_1 to inet2fw through
rule 3 and accepted by rule 5, then the raw data gets stripped and shows up
in INPUT as IN=vpn1 and sent down the vpn1_in chain and via rule 2 into
evl2fw and accepted there because of evl2fw's generous rules.

There is obviously a bit of a dichotomy with how netfilter reacts to the
packets.  Basically it deems ESP packets a match to the inbound policy, not
GRE, but the raw packets again are accepted by the policy match.  With just
rule 1 & 2 in vlan4_in (default generated by Shorewall) the setup doesn't
work, but adding by hand with iptables rule 3 (Or replacing rule 2 with rule
3) everything works great.

I've made a quick post to the netfilter list to see if maybe it's a bug or
if that is how it is supposed to work.  If it turns out not to be a bug I
need to find a way to make Shorewall not put that policy match on the zone
rules, as well as understand why it is there in the first place.

Chain vlan4_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
   12  1265 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW
 3617  652K inet2fw    all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none
 3543  476K inet2fw    all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain inet2fw (2 references)
 pkts bytes target     prot opt in     out     source
destination
 7484 1185K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0
0.0.0.0/0           tcp dpt:22
    0     0 ACCEPT     esp  --  *      *       67.42.31.242
0.0.0.0/0
    0     0 ACCEPT     udp  --  *      *       67.42.31.242
0.0.0.0/0           udp dpt:500
    0     0 ACCEPT     47   --  *      *       67.42.31.242
0.0.0.0/0
   12  1265 inet2all   all  --  *      *       0.0.0.0/0
0.0.0.0/0

Chain vpn1_in (1 references)
 pkts bytes target     prot opt in     out     source
destination
    3   228 dynamic    all  --  *      *       0.0.0.0/0
0.0.0.0/0           state INVALID,NEW
  311 24516 evl2fw     all  --  *      *       0.0.0.0/0
0.0.0.0/0           policy match dir in pol none

Chain evl2fw (1 references)
 pkts bytes target     prot opt in     out     source
destination
  341 26724 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0           state RELATED,ESTABLISHED
    3   228 ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0


Josh

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew
Suffield
Sent: Friday, January 05, 2007 12:57 AM
To: [email protected]
Subject: Re: [Shorewall-users] GRE over IPSec VPN

On Thu, Jan 04, 2007 at 08:46:24PM -0700, Joshua Perry wrote:
> -GRE/IPSec is pretty industry standard at this point, our cisco gear
> supports it, our Watchguard supports it, so if I needed to I would be able
> to support something besides a remote pc host.

This is possibly the only good reason for using ipsec for something -
compatibility with stuff like cisco kit. So maybe you do have reason
for the pain. It's still not a reason to use GRE (that's intended for
a provider-client relationship, where the client doesn't know about
the guts of the provider's network). ipsec alone would probably
suffice.

> So, I guess this may over all be a configuration that is not supported by
> shorewall.  If that is the case I guess I have the options of managing the
> chains by hand or using OpenVPN instead of GRE over IPSec.

Oh, you can almost certainly get it to work with shorewall - it's just
needlessly difficult to understand and debug the thing. The issue is
not whether it's possible, but whether it's worth the effort.

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to