I mostly forgot (in terms of being sure how to do it without consulting the doc's) how to use VPN. Here is what I have of docs for PtP IPSec VPN with 2 VPN routers: http://manual.ovislinkcorp.com/8000VPN-example.pdf
All I had to do is to is set Remote and Local LAN subnets on routers web config and routing was done. LAN1 was able to ping LAN2 instantly. I mentioned routing since if that part is not done correctly you will chase your own tail around shorewall and not actual problem. In hosts file you are setting extra IP's or subnets you consider members of the "Local" network/zone. You can even use public IP's for that so you can have access to the firewall. You are not able to access private networks (192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8) via internet so hosts file helps only with access to public IP's on firewall it self or public IP's behind him. Please not that those 2 rows are just an example, do not just copy them but read docs for hosts file and set your own rules and options. Other that this warning, all that is needed are only rules like mine in hosts file and (of course) rule in policy file that allows zone you used in hosts files (it dos not *have* to be "loc") to access firewall and other zones. Here are my full interfaces, policy, zones and hosts file (from another server without bridging): /etc/shorewall/interfaces: #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect routefilter,blacklist,tcpflags,logmartians,arp_ignore,optional,routeback #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE /etc/shorewall/zones: #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall loc ipv4 # kvm ipv4 # net ipv4 # /etc/shorewall/policy: #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: # LEVEL BURST MASK net net NONE fw net ACCEPT fw kvm ACCEPT loc all ACCEPT kvm all ACCEPT net kvm ACCEPT ## Possible security issue since my firewall's IP is on that subnet !!!!! YMMV. net all DROP info all all REJECT info Do you see "kvm" zone? /etc/shorewall/hosts: #ZONE HOST(S) OPTIONS loc eth0:192.168.200.0/24 routeback,tcpflags loc eth0:192.168.219.0/24 routeback,tcpflags kvm eth0:xxx.yyy.219.88/29 routeback,tcpflags kvm eth0:aaa.bbb.255.72/29 routeback,tcpflags #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE I used "kvm" zone to separate "loc" zone from public IP's of my servers from whom I want to access and then I set access rights to that zone in policy file. "net kvm ACCEPT" stayed when I copied configuration from server with br0 interface, and I am going to rearrange and further test this, possibly delete it or restrict it more, but so far www.grc.com port scanner says I am safe so I will leave it in this example with just warning about it. That is all I am able to help you with, and I think this is all you need to accomplish your goal. Ljubomir Körtvélyesi Péter wrote: > Hi! > > Thanks for your really useful reply Ljubomir! > > The situation is that I can't try these settings out as I will have an > exact weekend (out of office hours) to try out those and I have to > finish that task in time. So I'm just studying the cases now. > > I've learnt that RV082 routers can't route traffic through VPN > http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=175 > "How can we configure a static route entry on the RV042 and RV082 to > route 10.200.128.0 traffic via the tunnel that established? The static > entries for advanced routing only allows the selection of LAN or WAN. > As a bonus, it would be great if we could add static route entries to > the VPN tunnel configuration page. This bonus would only activate the > route entry if the VPN tunnel was connected." > > If VPN tunnel works between the two routers (home setup) the subnet of > Shorewall's firewall (LAN1) can't be reached from LAN1? > So what to do in that situation? Getting other types of routers? > > Or if I set a static route on them not telling anything about VPN is > good enough? I mean telling VPN2 to have a static route through VPN1 to > subnet 192.168.2.* and then telling VPN2 to have a static route to LAN1 > through Shorewall FW's net interface (192.168.2.2) to LAN1 192.168.0.* > is good enough? Then again how to set SHorewall? > > loc br0:192.168.2.0/24 routeback,tcpflags (zone between VPN1 and > Shorewall) > loc br0:192.168.1.0/24 routeback,tcpflags (VPN2's LOC2 network) > > > It does everything what I need? > > Sure I have to add a static route from FW to VPN2's LAN2 through VPN1, > and from VPN1 to VPN2's subnet, am I right? > > It is not yet clear for me that these settings provide me the ability to > be able to treat remote LAN2 connecting on net interface to Shorewal as > a local network. > > Any more detailed info is still greatly appreciated! > > Thanks very much! > Peter > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > Register Now & Save for Velocity, the Web Performance & Operations > Conference from O'Reilly Media. Velocity features a full day of > expert-led, hands-on workshops and two days of sessions from industry > leaders in dedicated Performance & Operations tracks. Use code vel09scf > and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Register Now & Save for Velocity, the Web Performance & Operations Conference from O'Reilly Media. Velocity features a full day of expert-led, hands-on workshops and two days of sessions from industry leaders in dedicated Performance & Operations tracks. Use code vel09scf and Save an extra 15% before 5/3. http://p.sf.net/sfu/velocityconf _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
