On 3/17/2015 9:47 AM, Martin Kasztantowicz wrote: > Hi, > > I have a server running shorewall which (hub) which does masquerading to > a local lan via a second nic and has lan-to-lan-connections to 3 > different locations (spokes) via strongswan ipsec. tunnels. Everything > works as expected but I can't find out how to tell shorewall to allow > traffic between the spokes via the hub. I have already added routeback > options on all interfaces and zone hosts but to no avail. > > This is my topology: > > *Hub Server *(OpenSuse 13.2, StrongSwan 5.1.3, * *Shorewall* *4.6.7) > s142-router.geotek.de > NAT to local LAN 10.40.22.0/24 > > *connected via IPcec to:* > Remote LAN1: 10.119.50.0/24 > Remote LAN2: 192.168.10.0/24 > Remote LAN3: 192.168.10.0/24 > > I can reach the local hub lan from any remote location and vice versa > but I can't reach LAN2 from LAN1 as an example. Trying to ping between > these locations shows up on the shorewall log as: > > Mar 17 13:53:28 s142-router kernel: > Shorewall:mangle:PREROUTING:IN=ens160 OUT= > MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34 > DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP > TYPE=8 CODE=0 ID=3 SEQ=35637 > Mar 17 13:53:28 s142-router kernel: Shorewall:nat:PREROUTING:IN=ens160 > OUT= MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34 > DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP > TYPE=8 CODE=0 ID=3 SEQ=35637 > > A shorewall dump is enclosed. > > It is clear that I have to tell shorewall how to handle > inter-vpn-traffic but I have no idea how to do this. Could hou please > give me a hint?
The problem here isn't in your Shorewall configuration but in your IPSEC configuration. 1. Apparently, 212.202.242.2 has a policy that sends traffic 10.119.50.0/24->192.168.10.0/24 via its tunnel to 148.251.195.62 since your gateway is receiving that traffic. 2. On your gateway, however, there is no policy for traffic 10.119.50.0/24->192.168.10.0/24 at all. As a consequence, it appears that the traffic is being dropped during forwarding. As an additional note, routing table 202 does nothing; the default route is the same as the routes in that table. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
