On 10/18/2012 07:54 AM, Krzysiek Nowak wrote: >>>> Hello! >>>> >>>> >>>> I'd like to ask if it is possible to connect local LAN network with >>>> external one to which access is provided by tap0 adapter (ShrewSoft >>>> connecting to CheckpointVPN gateway)? I have a server with eth0 adapter >>>> which is used as WAN adapter, tap0 (VPN) and eth1 which is acting as LAN >>>> interface. What I want to do is to grant access for users from this LAN >>>> (eth1) to network 10.49.41.0/24 available when tun0 is connected to VPN. >>>> Is it possible with Shorewall? If so, how? >>>> >>>> internet >>>> | >>>> |-eth0:10.48.10.27/24--->-| >>>> ^ tap0:10.44.70.68/32 [shrew soft connecting to CheckPoint VPN, DHCP] >>>> | >>>> |-eth1:192.168.1.1/24---<-| >>>> ^ >>>> | >>>> <-LAN >>>> ^ >>>> | >>>> < - 192.168.1.2/24 [how to connect to >>>> 10.49.41.111/32 ?] >>> Kris, >>> >>> There are two parts to this problem: >>> >>> a) Allowing the traffic. >>> b) Routing. >>> >>> The first part is easy. Define a zone 'vpn' to be associated with tap0, >>> then configure policies/rules to permit the traffic you want to allow. >>> >>> The second part will require that you masquerade traffic from your local >>> LAN to the remote network, unless the remote end can be configured to >>> route 192.168.1.1/24 through the VPN. If that isn't possible, then you >>> need this in the masq file: >>> >>> tap0 192.168.1.0/24 >>> >>> -Tom >> Hi Tom, >> >> >> Thank you for your answer. I did that and it's still not working. >> >> Oct 18 16:50:31 devel kernel: [89702.530584] >> Shorewall:loc2vpn:ACCEPT:IN=eth1 OUT=tap0 >> MAC=00:21:91:f4:6c:44:5c:26:0a:05:fc:51:08:00 SRC=192.168.1.2 >> DST=10.49.41.127 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=701 DF PROTO=TCP >> SPT=12635 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >> Oct 18 16:50:53 devel kernel: [89725.034448] >> Shorewall:loc2vpn:ACCEPT:IN=eth1 OUT=tap0 >> MAC=00:21:91:f4:6c:44:5c:26:0a:05:fc:51:08:00 SRC=192.168.1.2 >> DST=10.49.41.131 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=1655 DF PROTO=TCP >> SPT=12636 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >> Oct 18 16:51:16 devel kernel: [89747.989691] >> Shorewall:loc2vpn:ACCEPT:IN=eth1 OUT=tap0 >> MAC=00:21:91:f4:6c:44:5c:26:0a:05:fc:51:08:00 SRC=192.168.1.2 >> DST=10.49.41.111 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=1682 DF PROTO=TCP >> SPT=12639 DPT=22 WINDOW=8192 RES=0x00 SYN URGP=0 >> ^C > What do you see when you run tcpdump on tap0? > > tcpdump -nei tap0 > > -Tom [root@devel ~] # tcpdump -vvv -nei tap0 tcpdump: listening on tap0, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel
This is strange. After issuing this command I tried to connect to remote host (10.49.41.x) from 192.168.1.0/24 network and from server itself. Now, funny thing is that when I configure another tunnel on tun0 interface (tun0, not tap0) and connecting to other VPN gateway (cisco appliance) from 192.168.1.0/24 network all is working fine! That is pointing to what actually? ShrewSoft's VPN configuration on server (192.168.1.1) ? I saw there some 'nat' related options and I think I need to read about them. I hope it's not an issue with tap/tun interfaces. Or maybe you have other suggestions Tom? Best regards, Krzysztof ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
