On 5/1/13 9:48 AM, "rblake3" <[email protected]> wrote:
> Hello,
>
> I am currently attempting to masquerade traffic behind an internal interface
> (eth0) destined for the default gateway to go out of a firewall device located
> at the other end of an ipsec tunnel. I have attempted to use the providers
> feature to do this, but I can not figure out how to keep the ipsec tunnel up
> while having the traffic forwarded. At this point, the only thing I can think
> of is to exclude the far end IP address of the ipsec tunnel and leave
> everything else to pass through the other device. However, I was hoping there
> was a much simpler alternative.
>
> Quick overview of network:
>
> [The Internet] <-----> [Corporate HQ - IPSec Device & Firewall (internal:
> 10.1.0.1)] <ipsec> [The Internet] <ipsec> [Remote Location eth1]
> <shorewall--> [Remote Location eth0 (10.2.0.1)] <---> [Internal Network
> (10.2.0.0/24)]
>
> I went through the shorewall documentation and was unable to find anywhere
> that shows this particular example. I have tried using several configurations
> in the masq file, but to no avail:
>
> #INTERFACE SOURCE ADDRESS ...
> eth0 192.168.1.0/24 1.1.1.1
That rule says that packets routed out of eth0 with SOURCE IP in
192.168.1.0/24 should have their SOURCE IP changed to 1.1.1.1
> #And also tried:
> eth0:10.1.0.1 eth0
That rule is meaningless.
>
> I am hoping the first example above is the correct format; however, that IP is
> on a far-end device. Also, I do not have an ipsec0 device since I am using
> spdadd rules with raccoon that create the static routes of the internal
> network at headquarters.
>
> I am certain this is a very simple issue and a solution will be as well, but I
> cannot seem to wrap my mind around it. I have included the shorewall & kernel
> versions below for reference.
>
> Shorewall version: 4.4.24.1
> Kernel version: 3.4.33-2.24-default (SMP x64)
It might help us if you posted the output of 'shorewall dump' so we can see
what your gateway configuration looks like. Be sure that ipsec-tools are
installed before you capture the output.
-Tom
You do not need a parachute to skydive. You only need a parachute to skydive
twice.
------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
