Well, it wasn't too difficult, it is running right now, and added masq from
the remote site through this host in just 5 minutes. The problem I've found
is the policy match that Shorewall is adding to the interface's zone chain
rules "policy match dir in pol none" (eg. rule 2 in vlan4_in) lets ESP
through, then blocks the GRE but never gets stripped to the raw data packets
because it is rejected.
If I add -- like you see below -- the 3rd rule everything works great; ESP
gets in through rule 2 and once in inet2fw there gets accepted by rule 3.
GRE then gets pulled from the ESP and gets through vpn4_1 to inet2fw through
rule 3 and accepted by rule 5, then the raw data gets stripped and shows up
in INPUT as IN=vpn1 and sent down the vpn1_in chain and via rule 2 into
evl2fw and accepted there because of evl2fw's generous rules.
There is obviously a bit of a dichotomy with how netfilter reacts to the
packets. Basically it deems ESP packets a match to the inbound policy, not
GRE, but the raw packets again are accepted by the policy match. With just
rule 1 & 2 in vlan4_in (default generated by Shorewall) the setup doesn't
work, but adding by hand with iptables rule 3 (Or replacing rule 2 with rule
3) everything works great.
I've made a quick post to the netfilter list to see if maybe it's a bug or
if that is how it is supposed to work. If it turns out not to be a bug I
need to find a way to make Shorewall not put that policy match on the zone
rules, as well as understand why it is there in the first place.
Chain vlan4_in (1 references)
pkts bytes target prot opt in out source
destination
12 1265 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
3617 652K inet2fw all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
3543 476K inet2fw all -- * * 0.0.0.0/0
0.0.0.0/0
Chain inet2fw (2 references)
pkts bytes target prot opt in out source
destination
7484 1185K ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0
0.0.0.0/0 tcp dpt:22
0 0 ACCEPT esp -- * * 67.42.31.242
0.0.0.0/0
0 0 ACCEPT udp -- * * 67.42.31.242
0.0.0.0/0 udp dpt:500
0 0 ACCEPT 47 -- * * 67.42.31.242
0.0.0.0/0
12 1265 inet2all all -- * * 0.0.0.0/0
0.0.0.0/0
Chain vpn1_in (1 references)
pkts bytes target prot opt in out source
destination
3 228 dynamic all -- * * 0.0.0.0/0
0.0.0.0/0 state INVALID,NEW
311 24516 evl2fw all -- * * 0.0.0.0/0
0.0.0.0/0 policy match dir in pol none
Chain evl2fw (1 references)
pkts bytes target prot opt in out source
destination
341 26724 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 state RELATED,ESTABLISHED
3 228 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
Josh
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrew
Suffield
Sent: Friday, January 05, 2007 12:57 AM
To: [email protected]
Subject: Re: [Shorewall-users] GRE over IPSec VPN
On Thu, Jan 04, 2007 at 08:46:24PM -0700, Joshua Perry wrote:
> -GRE/IPSec is pretty industry standard at this point, our cisco gear
> supports it, our Watchguard supports it, so if I needed to I would be able
> to support something besides a remote pc host.
This is possibly the only good reason for using ipsec for something -
compatibility with stuff like cisco kit. So maybe you do have reason
for the pain. It's still not a reason to use GRE (that's intended for
a provider-client relationship, where the client doesn't know about
the guts of the provider's network). ipsec alone would probably
suffice.
> So, I guess this may over all be a configuration that is not supported by
> shorewall. If that is the case I guess I have the options of managing the
> chains by hand or using OpenVPN instead of GRE over IPSec.
Oh, you can almost certainly get it to work with shorewall - it's just
needlessly difficult to understand and debug the thing. The issue is
not whether it's possible, but whether it's worth the effort.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users