Hi Jason, There is an article at https://libreswan.org/wiki/Subnet_extrusion that discusses this configuration. The solution is expressed in *Swan syntax; the basic features are:
- Both the left and right subnets are 0.0.0.0/0. - On the responder side, a 'passthrough' policy is added to allow VPN access to the local LAN(s). Hope that helps, -Tom On 10/03/2017 02:37 AM, Jason Timmins wrote: > Hi Tom, > > That's a shame. Are you thinking that others on the Shorewall mailing list > might be able to help? > > We're looking to connect remote sites to a central Shorewall-based firewall > and have their Internet traffic pass via that server (rather than going > direct.) However, Tom and I can't figure-out why traffic from the IPsec > tunnels isn't being NAT'd by the firewall. Anyone else got any ideas? > > Cheers > Jason. > > -----Original Message----- > From: Tom Eastep [mailto:teas...@shorewall.net] > Sent: 02 October 2017 17:11 > To: Jason Timmins <ja...@mbmltd.co.uk> > Cc: Shorewall Users <shorewall-users@lists.sourceforge.net> > Subject: Re: FW: [Shorewall-users] IPsec Tunnel as Default Gateway for Branch > Offices > > On 10/01/2017 01:27 PM, Jason Timmins wrote: >> Hi Tom, >> >> This trace file is a bit longer than I'd have liked but you should be able >> to find references to my machine, 10.1.4.41, trying to ping 8.8.8.8. >> > > Okay -- you have no IPSEC policy covering these packets. What appears to be > happening is that once they get through the routing stage of the IP stack > flow, they are no longer processed by Netfilter (possibly because they match > neither 'pol ipsec' nor 'pol none'). As my own IPSEC foo is rather weak, my > attempts to produce a working IPSEC policy configuration for this case have > all failed. > > Regards, > > -Tom > -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
