Re: [Shorewall-users] Routing between IPSec and OpenVPN Clients

Fri, 05 Oct 2007 01:58:18 -0700

Title: [New Vision] - Vorlage GmbH mit LOGO
Artur Uszyński schrieb: 
W dniu 2007-10-05 10:21, Philipp Rusch pisze:
  
  Tom Eastep schrieb:
    
Philipp Rusch wrote:

  
      
my problem is that traffic is going to the wrong zone.
When I try to access hosts in one of ipsec zones while I am sitting in an
openvpn zone, my packets travel to "net" and hence don't find their aim.

    
        
Your problem is that you don't understand IPSEC. This is neither a
Shorewall problem nor is it a routing problem. As I said in my previous
message, you must configure IPSEC to encrypt the traffic -- then AND
ONLY THEN will it go to the right destination.

-Tom
  
 
      
Tom,
just for clarification: if I have a multihomed host sitting in a LAN 
with one
arm and several openvpn clients on this same host, the packets that
the IPSec SA and/or shorewall sees are coming from the wrong "origin" ?
So my misunderstanding was that I somehow thought that these OpenVPN-
tunnel terminate on the firewall and therefore can fulfill the same SA that
I already defined for firewall to IPSec client-tunnels.
If I would be able to setup a bridged OpenVPN connection, then those SA's
should match, because the packets from OpenVPN-clients look the same
as if they were coming from the internal zone "loc", right ?
So my last question is:
Is bridging with tap-devices the way to go ?
    

I use the solution described above (bridged OpenVPN), it works quite well. In my case OpenVPN clients are in separate zone "ovpn" (defined in hosts as br0:$IP_RANGE), so I can regulate traffic from loc and ovpn to ipsec zones separately.

Regards
--
Artur
Hello Artur,
great ! You have one of the new kernels ? I ask because of the limited bridge support ...
Could you share your setup with me by private mail ?

Regards from Germany,
-- 
Mit freundlichen Grüßen,
Philipp Rusch

New Vision GmbH                                               
Neue Mitte 3
D-35415 Pohlheim, Germany                    
Fon:      +49 (0)6403 969 08 56
Fax:      +49 (0)6403 969 08 57
Mobile : +49 (0)172 89 86 230 
 
New Vision Logo
 
HRB 6415 Gießen
Ust.-ID: DE 814 629 367

Web   : www.newvision-it.de
Mailto : [EMAIL PROTECTED]
 

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützteInformationen. Wenn Sie nicht der richtige 
Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte den Absender und vernichten 
Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you are not the intended recipient 
(or have received this e-mail in error) please notify the sender and destroy this e-mail. Any unauthorised 
copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to