Re: [Shorewall-users] MASQ and IPSEC

Thu, 11 Dec 2008 08:30:48 -0800 

Tor Arne Rein wrote:

> # file: masq
> #INTERFACE                      SUBNET                  ADDRESS
> eth0::$B_SIDE_IP_RANGE          $A_SIDE_IP_RANGE          $SINGLE_IP_ADDRESS
> 
> And, this kinda works, but only if I have a rule like this in my rules:
> 
> # file: rules
> ACCEPT  loc     net

And Shorewall is complaining that the above rule is a policy and should
be placed in the policy file. The rule would be:

ACCEPT  loc:$A_SIDE_IP_RANGE    net:$B_SIDE_IP_RANGE

> 
> I already have rules like this:
> 
> ACCEPT loc      vpn
> ACCEPT vpn     loc
> 
> Here are the files I changed for ipsec in my config:

Looking at single entries out of context doesn't tell us much of
anything. That's why we always ask that problem reports be accompanied
by the output of 'shorewall dump' collected as described at
http://www.shorewall.net/support.htm#Guidelines.

> 
> # file: hosts
> #ZONE   HOST(S)                                 OPTIONS
> vpn    eth0:10.233.233.0/24                    ipsec
> 
> # file: zones
> #ZONE   TYPE            OPTIONS         IN                      OUT
> #                                       OPTIONS                 OPTIONS
> vpn     ipv4
> fw      firewall
> net     ipv4
> loc     ipv4
> 
> # file: tunnels
> ipsec                   net     $REMOTE_IPSEC_PEER_IP
> 
> 
> Without MASQ it works without the additional "ACCEPT loc net" line in rules. 
> 
> So my question is, is this correct, meaning is the "ACCEPT loc net" rule 
> required ? 
> Or is there something wrong with my configuration so that shorewall don't 
> pickup the vpn zone when I added MASQ'ing ? 
> I should also add that the SINGLE_IP_ADDRESS I want to "MASQ with" is another 
> IP address 
> from the same subnet as eth0 (the net interface).
> 

Did you also change your OpenSwan configuration to only include
$SINGLE_IP_ADDRESS on the A side? That would explain what you are seeing.



------------------------------------------------------------------------------
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you.  Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to