Re: [Shorewall-users] Routing between IPSec and OpenVPN Clients

[Philipp Rusch]

Tom Eastep schrieb:
Tom Eastep wrote:
  
Philipp Rusch wrote:
    
Hi all,
maybe this is a seldom need, but we have to route traffic between ipsec
zones
and openvpn zones. This is on a SUSE 10.1 system with kernel 2.6.16 ....
and shorewall 4.0.4. I searched the documentation but couldn't fin a
solution,
 I tried to define "routeback" option on my openvpn zones, this did not
change
a thing. As far as I understand this problem, my problem is that there is no
virtual device like ipsec0 anymore to which I could add routes to. Openvpn
has its "tun" devices, this is no problem, but how to route between
these zones ?
Any hint is much appreciated !
      
You simply define SPs on the gateways that require traffic between the two
endpoints to be encrypted. Normal routing takes over from there.
    

Is your problem that the forwarded traffic is being rejected by the firewall
as shown in the "Shorewall" log?

-Tom
  
Tom,

my problem is that traffic is going to the wrong zone.
When I try to access hosts in one of ipsec zones while I am sitting in an
openvpn zone, my packets travel to "net" and hence don't find their aim.

I have several openvpn tunnels defined in "tunnel", they work fine.
I am able to go from one openvpn zone to another openvpn host.
I got 60 ipsec tunnels which all go in one zone which I defined in 
"hosts" file.

hosts:
#ZONE        HOST(S)                    OPTIONS
fil          eth1:172:30.0.0/16         ipsec

tunnels:
#TYPE         ZONE         GATEWAY      GATEWAY ZONE
ipsec         net            80.152.....
ipsec         net            80.152.....
and so on (many external fixed ips)
openvpnserver:5555   net   0.0.0.0/0   #Roadwarrior1
openvpnserver:5556   net   0.0.0.0/0   #Roadwarrior2
etc.

zone:
#ZONE    TYPE    OPTIONS       IN                  OUT
fil      ipsec   mode=tunnel   mss=1350,proto=esp  mss=1350,proto=esp
net      ipv4
loc      ipv4
vpn1     ipv4
vpn2     ipv4


I would expect that packets from vpn1 or vpn2 would go to the "fil" zone if
I addressed one of the 172.30.x.y IP-addresses, but they keep travelling 
to "net".

- Philipp
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users