On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote: > I have a VM which is the LAN router, and another VM in the LAN which > is the ipsec gateway. (strongswan) > > I'm not fully understanding the guide here; > http://www.shorewall.net/IPSEC-2.6.html > > > > - Does this still apply to kernel 4.*? There isn't a > http://www.shorewall.net/IPSEC.html > <http://www.shorewall.net/IPSEC-2.6.html> > > - It doesn't say to set up DNAT on the router. How does the router > know where the ipsec gateway is? > > - On the laptop, tunnels should be set as: ipsec net 206.162.148.9 > vpn. But what is that IP? The dynamic IP of the laptop, or the > outside interface of the remote router? > > - If the latter, is there a way in the laptop's tunnels to, instead of > an explicit IP, do a DNS request, to get that remote IP? > > - Wouldn't I need to set up DNAT in and SNAT out for ports 500 and 4500? > > - How do I enable protocols 50 & 51? Would that be on one or both ports? > There is no Shorewall document that describes configuring the local responding endpoint on a system behind the Shorewall hosts. Such a configuration is of very limited utility, since it only allows remote access to the local endpoint host, and not to any other local host (including the Shorewall host). So the IPSEC-2.6 document only covers the case where the Shorewall host is the local responding endpoint.
If you really want to configure a host behind the firewall as your local responding endpoint, then you must: a) Configure IPSEC to use Nat Traversal. b) DNAT UDP 500 and 4500 to the local endpoint host. You don't need to worry about the other protocols, as they will be encapsulated within UDP port 4500 packets. -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
