Re: [Shorewall-users] Shorewall (Openswan) IPSEC VPN MASQ Problem

Thu, 13 Aug 2009 07:32:41 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Tom Eastep wrote:
> Simon Buckner wrote:
> 
>> I have setup a IPSEC VPN using Openswan to connect a Draytek router
>> to a CentOS 5.2/Shorewall 4.2.9 firewall.  The VPN establishes OK but
>> Im getting a problem with packets from the left hand subnet getting 
>> masqueraded rather than routed down the IPSEC VPN as though they were
>>  going out onto the net.
> 
> This is almost always an IPSEC configuration problem that has nothing to
> do with Shorewall.

Actually, that's not true. The fact that connections are masqueraded
could also mean that you haven't followed the instructions at
http://www.shorewall.net/IPSEC-2.6.html.

Here's why.

Normally, an entry in /etc/shorewall/masq generates an iptables rule of
the (simplified) form:

        -A POSTROUTING -o <iface> -s <src> -j MASQUERADE

or

        -A POSTROUTING -o <iface> -s <src> -j SNAT --to-src <ip>

where

        <iface> is the interface named in the INTERFACE column.
        <src>   is the set of IP addresses corresponding to the SOURCE
                column; and
        <ip>    is the address specified in the ADDRESS column

So the rule masquerades/SNATs *all* traffic from <src> that is routed
out through <interface>. That will include traffic that is scheduled to
be encrypted by IPSEC!

When you configure your gateway as described in the above-mentioned
article, the rule will include the additional match:

        -m policy --dir out --pol none

That additional match restricts rewriting of the source IP address to
those connections that will *not* be encrypted by IPSEC.

If, with this additional match in place, the traffic is *still* being
masqueraded, *then* there is a problem with your IPSEC setup.

- -Tom
- --
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkqEIcEACgkQO/MAbZfjDLKUFACdHr738Pf1IRm3YE7mTRd/jCEE
QqMAoMB3TD0qzmjTz+hYYK4E3r19j000
=4KCb
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to