Re: [Shorewall-users] ipsec and shorewall

Fri, 06 Feb 2015 09:10:14 -0800 

On 2/4/2015 12:37 PM, Gilbert Robert wrote:
> Hi,
> 
> I would like to establish an IPSEC connection from one site to one site.
> Site A is a Cisco ASA and site B is a Linux Debian Wheezy
> 
> On site A we don't have any access, but on site B we can do what we want.
> I installed Shorewall 4.5.5.3 and openswan 1:2.6.37-3+deb7u1
> 
> I spent a lot of time trying to connect those 2 sites like this
> 
> site B                                                                        
>    site A
> [ 10.1.0.0 ] -----[ 10.1.0.1 / eth0 143.123.123.121/28 ] ..... [ 
> 190.120.87.165 ]---[193.198.43.0]
>                                eth0 143.123.123.122
> 
> This would be relatively simple if Site A did not want nat in the VPN. In 
> fact they want to see only one source address from the network B for example
> the 143.123.123.122. They don't want to see rfc1918 addresses in subnet B.
> 
> I read and reread the pages of shorewall but I'm a little bit confused now.
> I can establish IPsec phase I but the second not. Ipsec therefore works but 
> it appears that phase II stuck.
> 
> My part of config:
> 
> interfaces
> vpn   ppp0    -
> net   eth0
> 
> hosts
> vpn   eth0:193.198.43.0/24   ipsec
> 
> masq
> eth0  10.1.0.0/24     143.123.123.122  -       -       -       
> mode=tunnel,tunnel-dst=193.198.43.0/24

Because the IPSEC PD doesn't recognize 10.1.0.0/24 as the source for any
IPSEC policy, I suspect that the rule never matches. You rather want:

eth0:193.198.43.0 10.1.0.0/24   143.123.123.122

> 
> tunnels
> ipsec net       190.120.87.165/32       vpn
> 
> Many thanks in advance for you help and lights ....
> 

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to