Hi Tom, Thanks for that.
I've configured the zones and options files like you suggest but it's not quite working. Packets from the branch travel across the tunnel to the firewall and get passed to the Internet but tcpdump suggests that they are not NAT'd. Here's an outbound ping from one machine and a DNS request from another... 19:27:15.107897 IP 10.1.4.41 > 8.8.8.8: ICMP echo request, id 3, seq 14396, length 40 19:27:18.375539 IP 10.1.4.51.29901 > 8.8.8.8.domain: UDP, length 46 (10.1.4.0/24 is the branch network.) This is what I have in /etc/shorewall/snat... SNAT(1.1.1.1) 10.1.4.0/24 eth0 SNAT(1.1.1.1) 10.249.1.0/24 eth0 (Clearly, 1.1.1.1 is a fake public IP address but a real IP address is actually in the file at our end.) 10.249.1.0/24 is the subnet for the LAN in the data centre, masquerading from that subnet works fine. Any ideas? Do I need to configure /etc/shorewall/tunnels or anything else? Cheers Jason. -----Original Message----- From: Tom Eastep [mailto:teas...@shorewall.net] Sent: 29 September 2017 18:36 To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPsec Tunnel as Default Gateway for Branch Offices On 09/29/2017 10:14 AM, Jason Timmins wrote: > Hi Tom, > > Yes, they would. The standard FreeSWAN-based IP service on Linux. > Okay -- this is actually fairly simple. /etc/shorewall/zones: #ZONE TYPE OPTIONS brvpn ipsec mode=tunnel,proto=esp /etc/shorewall/options #ZONE HOSTS OPTIONS brvpn $WAN_IF:0.0.0.0/0 routeback Note 1: using the routeback option allows the branches to communicate between themselves. Note 2: Here, WAN_IF holds the address of the 'net' interface. Note 3: if you have other ipsec zones using $WAN_IF, then you will want to list the branch subnets rather than simply entering 0.0.0.0/0 Now, just configure the rules and policies and you should be all set. Remember to configure masquerade/SNAT if the branches use RFC1918 addresses. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________ ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
