Thanks, Artur. I tried as described and the tunnel is successfully established upon a Ping from a system at A to a system at B. But the Ping itself isn't successful. Has the address 192.168.200.1 to be added to the external interface? I have the ADD_SNAT_ALIASES variable set to NO in shorewall.conf. I think, it should handled by Shorewall only internally.
Is there any possibility to trace the connection some steps further with the shorewall logging facilities? I see, of course, the initial ACCEPT of the packet from the client entering the firewall with the policy "loc -> vpn". But not further. Regards, Christian Artur Uszyn'ski wrote: > W dniu 2007-10-05 10:36, Christian Vieser pisze: > >> Hi all, >> >> I set up an IPSEC tunnel according to the tutorial at >> http://www.shorewall.net/IPSEC-2.6.html. In the following I will refer >> to the picture and rules there. >> >> The company at side B now wants, that all clients from side A appear to >> have a single address, say 192.168.200.1. So the question is, what entry >> in /etc/shorewall/masq is needed to translate all originating requests >> from subnet 192.168.1.0/24 to this address, before the traffic will go >> through the IPSEC tunnel. And what has to be changed in the IPSEC/racoon >> config for this? >> >> > > Extracted from working shorewall 2.2.x installation (should not be different > in newer versions): > > # file: masq > #INTERFACE SUBNET ADDRESS > eth0::$B_SIDE_IP_RANGE 192.168.1.0/24 192.168.200.1 > # put other masq entries with 192.168.1.0/24 as a subnet below if needed > > Most likely You need to turn off route filtering (for example ROUTE_FILTER=No > in shorewall.conf). > > IPSec tunnel must be established between 192.168.200.1/32 and > $B_SIDE_IP_RANGE. I use Openswan, not ipsec-tools, so I can't give exact > config entries. > ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
