On Wed, 2010-07-14 at 09:36 -0700, Tom Eastep wrote: > > Near as I can tell,
As usual Tom, your instincts were right on the mark. > you should simply need to: > > a) Add an IPSEC tunnel to /etc/shorewall/tunnels. Which I did as: #TYPE ZONE GATEWAY GATEWAY # ZONE ipsecnat net 0.0.0.0/0 since I am indeed on at NAT-T configuration here. TBH, I was not sure what, if anything I should put in the GATEWAY ZONE for this configuration. > b) Use a standard two-interface configuration; MASQUERADE traffic coming > from the kvm subnet. Indeed. > That's it. Since traffic to/from the default gateway is either all > encrypted or all en clair (depending on whether the IPSEC client is > active or not), I see no reason to differentiate the two cases. Fair enough. And it almost, so, very almost works! Here's a packet received on the kvm interface destined for the VPN: 18:07:41.518736 IP 192.168.122.32.3646 > 10.1.2.3.21: Flags [S], seq 13170946, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 and here is the response: 18:07:54.419302 IP 10.1.2.3.21 > 129.150.48.250.3646: Flags [S.], seq 2706895564, ack 13170947, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 2], length 0 And here is the conntrack entry for it. ipv4 2 tcp 6 38 SYN_RECV src=192.168.122.32 dst=10.1.2.3 sport=3646 dport=21 packets=1 bytes=64 src=10.1.2.3 dst=199.10.8.5 sport=21 dport=3646 packets=6 bytes=312 mark=0 secmark=0 use=2 But that's as far as it gets. It doesn't get sent back through the kvm interface at all. It just disappears at that point. I should note that 199.10.8.5 is not the address of eth0 (the net interface on which the ipsec tunnel is configured) but an eth0:1 configured for ipsec. I dunno if that's relevant but it is somewhat strange so I thought I would mention it. So the question is, any ideas what might cause Linux to not complete the de-natting and routing of that returned packet back to 192.168.122.32 on the kvm interface? b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
