Okay so maybe I am overthinking this. Would a feasible approach be:
1. Add the second external IP to as eth0:0
2. In rules, DNAT 4500 and 500 to Zywall in admx zone:
DNAT net admx:<Zywall IP> udp 500 - <eth0:0 IP>
DNAT net admx:<Zywall IP> udp 4500 - <eth0:0 IP>
As per http://shorewall.net/VPN.htm
Thanks again
On Thu, Jun 4, 2015 at 1:11 PM, Chop Wow <[email protected]> wrote:
> Hi All,
>
> I have Libreswan/Xl2tpd IPSec/L2TP VPN running on the firewall appliance.
> As such I have the zones/interfaces/tunnel (see below) and standard rules
> associated with the VPN.
>
> A user in the admx zone has acquired a hardware stack that requires
> IPSEC/L2tp connection to connect to it. It has its own VPN/router.
>
> Can I define a second passthrough IPSEC tunnel to the user hardware and
> not affect my existing VPN on the Shorewall appliance?
>
> Thanks,
>
> ~Chop
>
>
>
> Shorewall version: 4.5.16.1
>
> interfaces
> ------------
> net eth0
> dhcp,tcpflags,nosmurfs,routefilter,sourceroute=0,blacklist
> loc eth1 tcpflags,nosmurfs,routefilter
> l2tp ppp+
> cpp eth2 tcpflags,nosmurfs
> dc1 eth3 tcpflags,nosmurfs
> admx eth4 tcpflags,nosmurfs
> ovpn tun+
>
> zones
> -------------
> fw firewall
> net ipv4
> vpn ipsec
> l2tp ipv4
> loc ipv4
> cpp ipv4
> dc1 ipv4
> admx ipv4
> ovpn ipv4
>
> tunnel
> ------------
> ipsec net 0.0.0.0/0 vpn
> openvpnserver:tcp:443 net 0.0.0.0/0
>
>
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
