On Jul 14, 2010, at 3:18 PM, Brian J. Murrell wrote: > On Wed, 2010-07-14 at 09:36 -0700, Tom Eastep wrote: >> >> Near as I can tell, > > As usual Tom, your instincts were right on the mark. > >> you should simply need to: >> >> a) Add an IPSEC tunnel to /etc/shorewall/tunnels. > > Which I did as: > > #TYPE ZONE GATEWAY GATEWAY > # ZONE > ipsecnat net 0.0.0.0/0 > > since I am indeed on at NAT-T configuration here. TBH, I was not sure > what, if anything I should put in the GATEWAY ZONE for this > configuration. > >> b) Use a standard two-interface configuration; MASQUERADE traffic coming >> from the kvm subnet. > > Indeed. > >> That's it. Since traffic to/from the default gateway is either all >> encrypted or all en clair (depending on whether the IPSEC client is >> active or not), I see no reason to differentiate the two cases. > > Fair enough. > > And it almost, so, very almost works! > > Here's a packet received on the kvm interface destined for the VPN: > > 18:07:41.518736 IP 192.168.122.32.3646 > 10.1.2.3.21: Flags [S], seq > 13170946, win 65535, options [mss 1460,nop,wscale 1,nop,nop,TS val 0 ecr > 0,nop,nop,sackOK], length 0 > > and here is the response: > > 18:07:54.419302 IP 10.1.2.3.21 > 129.150.48.250.3646: Flags [S.], seq > 2706895564, ack 13170947, win 5840, options [mss > 1460,nop,nop,sackOK,nop,wscale 2], length 0 > > And here is the conntrack entry for it. > > ipv4 2 tcp 6 38 SYN_RECV src=192.168.122.32 dst=10.1.2.3 sport=3646 > dport=21 packets=1 bytes=64 src=10.1.2.3 dst=199.10.8.5 sport=21 dport=3646 > packets=6 bytes=312 mark=0 secmark=0 use=2 > > But that's as far as it gets. It doesn't get sent back through the kvm > interface at all. It just disappears at that point. > > I should note that 199.10.8.5 is not the address of eth0 (the net > interface on which the ipsec tunnel is configured) but an eth0:1 > configured for ipsec. I dunno if that's relevant but it is somewhat > strange so I thought I would mention it. > > So the question is, any ideas what might cause Linux to not complete the > de-natting and routing of that returned packet back to 192.168.122.32 on > the kvm interface?
It doesn't match the conntrack entry. The conntrack entry expects responses to be addressed to 199.10.8.5 but the response is coming back to 129.150.48.250. What does your /etc/shorewall/masq entry look like? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \_______________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
