Hi Tom,
thank your very much for this fast response.
I know that my problem could theoretically be solved via StrongSwan by setting
all traffic selectors to 0.0.0.0/0 on all peers. Unfortionally our peers cannot
use these broad selectors because they also have several other tunnels as well.
This means we have to use narrow traffic selectors for all tunnels of the form
10.40.22.0/22 (gateway LAN) => 10.119.50.0/24 (Remote LAN 1)
10.40.22.0/22 (gateway LAN) => 192.168.10.0/24 (Remote LAN 2)
10.40.22.0/22 (gateway LAN) => 192.168.11.0/24 (Remote LAN 3)
...
In addition we have to use IKEV1 due to limitations on the remote VPN
appliances, which mandates that the traffic selectors must be identical on both
sides of the tunnels and is not even able to do split-tunnelling. This means I
have no idea how to handle this in StrongSwan under these circumstances.
However, if I have a working hub that has IPsec tunnels to several spokes I
assumed it would be possible to tell the gateway via shorewall rules how to
route traffic between the peers. IMO it would also be conceptionally cleaner
and more manageable if StrongSwan IPsec would only used to build a number of
tunnels and have all routing and firewalling policies concentrated in on place
(Shorewall) where one would expect them to be.
Is there really no way to do this with Shorewall?
Martin
>>> Tom Eastep <[email protected]> 17.03.2015 23:50 >>>
On 3/17/2015 9:47 AM, Martin Kasztantowicz wrote:
> Hi,
>
> I have a server running shorewall which (hub) which does masquerading to
> a local lan via a second nic and has lan-to-lan-connections to 3
> different locations (spokes) via strongswan ipsec. tunnels. Everything
> works as expected but I can't find out how to tell shorewall to allow
> traffic between the spokes via the hub. I have already added routeback
> options on all interfaces and zone hosts but to no avail.
>
> This is my topology:
>
> *Hub Server *(OpenSuse 13.2, StrongSwan 5.1.3, * *Shorewall* *4.6.7)
> s142-router.geotek.de
> NAT to local LAN 10.40.22.0/24
>
> *connected via IPcec to:*
> Remote LAN1: 10.119.50.0/24
> Remote LAN2: 192.168.10.0/24
> Remote LAN3: 192.168.10.0/24
>
> I can reach the local hub lan from any remote location and vice versa
> but I can't reach LAN2 from LAN1 as an example. Trying to ping between
> these locations shows up on the shorewall log as:
>
> Mar 17 13:53:28 s142-router kernel:
> Shorewall:mangle:PREROUTING:IN=ens160 OUT=
> MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34
> DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP
> TYPE=8 CODE=0 ID=3 SEQ=35637
> Mar 17 13:53:28 s142-router kernel: Shorewall:nat:PREROUTING:IN=ens160
> OUT= MAC=00:50:56:00:44:8c:64:64:9b:6a:7a:cf:08:00 SRC=10.119.50.34
> DST=192.168.10.10 LEN=60 TOS=0x00 PREC=0x00 TTL=254 ID=8754 PROTO=ICMP
> TYPE=8 CODE=0 ID=3 SEQ=35637
>
> A shorewall dump is enclosed.
>
> It is clear that I have to tell shorewall how to handle
> inter-vpn-traffic but I have no idea how to do this. Could hou please
> give me a hint?
The problem here isn't in your Shorewall configuration but in your IPSEC
configuration.
1. Apparently, 212.202.242.2 has a policy that sends traffic
10.119.50.0/24->192.168.10.0/24 via its tunnel to 148.251.195.62
since your gateway is receiving that traffic.
2. On your gateway, however, there is no policy for traffic
10.119.50.0/24->192.168.10.0/24 at all. As a consequence, it appears
that the traffic is being dropped during forwarding.
As an additional note, routing table 202 does nothing; the default route
is the same as the routes in that table.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
