On 12/14/2017 02:55 PM, cac...@quantum-sci.com wrote: > On 12/14/2017 02:50 PM, Tom Eastep wrote: >> On 12/14/2017 02:28 PM, Colony.three via Shorewall-users wrote: >>> I have a VM which is the LAN router, and another VM in the LAN which >>> is the ipsec gateway. (strongswan) >>> >>> I'm not fully understanding the guide here; >>> http://www.shorewall.net/IPSEC-2.6.html >>> >>> >>> >>> - Does this still apply to kernel 4.*? There isn't a >>> http://www.shorewall.net/IPSEC.html >>> <http://www.shorewall.net/IPSEC-2.6.html> >>> >>> - It doesn't say to set up DNAT on the router. How does the router >>> know where the ipsec gateway is? >>> >>> - On the laptop, tunnels should be set as: ipsec net 206.162.148.9 >>> vpn. But what is that IP? The dynamic IP of the laptop, or the >>> outside interface of the remote router? >>> >>> - If the latter, is there a way in the laptop's tunnels to, instead of >>> an explicit IP, do a DNS request, to get that remote IP? >>> >>> - Wouldn't I need to set up DNAT in and SNAT out for ports 500 and 4500? >>> >>> - How do I enable protocols 50 & 51? Would that be on one or both ports? >>> >> There is no Shorewall document that describes configuring the local >> responding endpoint on a system behind the Shorewall hosts. Such a >> configuration is of very limited utility, since it only allows remote >> access to the local endpoint host, and not to any other local host >> (including the Shorewall host). So the IPSEC-2.6 document only covers >> the case where the Shorewall host is the local responding endpoint. >> >> If you really want to configure a host behind the firewall as your >> local responding endpoint, then you must: >> >> a) Configure IPSEC to use Nat Traversal. >> b) DNAT UDP 500 and 4500 to the local endpoint host. >> >> You don't need to worry about the other protocols, as they will >> be encapsulated within UDP port 4500 packets. >> >> -Tom > > Thanks. The reason I have this structure in mind is, if ipsec is > compromised, I want the ne'er-do-well to end up in a benign VM, -not- > the router. > > You're saying though if I do it this way, then the remote laptop can not > access machines on the LAN other than the gateway? Surely there's an > ipsec setting. >
No. You might be able to work around this by using SNAT on the endpoint
system, such that all traffic from the remote laptop through the local
endpoint is made to look like it came from the local endpoint host
itself. Like all NAT, that's a bit of a hack. You wouldn't need
Shorewall on the local endpoint for that; you could simply execute:
iptables -t nat -A POSTROUTING -o <interface> -j MASQUERADE
during boot.
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
