W dniu 2007-10-05 10:21, Philipp Rusch pisze: > Tom Eastep schrieb: >> Philipp Rusch wrote: >> >> >>> my problem is that traffic is going to the wrong zone. >>> When I try to access hosts in one of ipsec zones while I am sitting in an >>> openvpn zone, my packets travel to "net" and hence don't find their aim. >>> >>> >> Your problem is that you don't understand IPSEC. This is neither a >> Shorewall problem nor is it a routing problem. As I said in my previous >> message, you must configure IPSEC to encrypt the traffic -- then AND >> ONLY THEN will it go to the right destination. >> >> -Tom >> >> > Tom, > just for clarification: if I have a multihomed host sitting in a LAN > with one > arm and several openvpn clients on this same host, the packets that > the IPSec SA and/or shorewall sees are coming from the wrong "origin" ? > So my misunderstanding was that I somehow thought that these OpenVPN- > tunnel terminate on the firewall and therefore can fulfill the same SA that > I already defined for firewall to IPSec client-tunnels. > If I would be able to setup a bridged OpenVPN connection, then those SA's > should match, because the packets from OpenVPN-clients look the same > as if they were coming from the internal zone "loc", right ? > So my last question is: > Is bridging with tap-devices the way to go ?
I use the solution described above (bridged OpenVPN), it works quite well. In my case OpenVPN clients are in separate zone "ovpn" (defined in hosts as br0:$IP_RANGE), so I can regulate traffic from loc and ovpn to ipsec zones separately. Regards -- Artur ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
