On 12/15/2017 12:58 PM, Colony.three via Shorewall-users wrote:
>
>>
>>> DNAT { SOURCE=net, DEST=apps:172.20.2.44, PROTO=udp,
>>> DPORT=500,4500, ORIGDEST=$IPSEC_IP }
>>>
>> Tom, on this line, is IPSEC_IP something I must set? Only if you have more than one outside IP. >> >> If so, would this be the router's outside IP? Yes, again if there are more than one and you only want to accept IKE connections to one of them. >> Could I do a command >> substitution like $(curl ipinfo.io/ip <http://ipinfo.io/ip>) ? > No -- but you can use a Shorewall address variable like ð0. See http://www.shorewall.org/configuration_file_basics.htm#AddressVariables -Tom > > PS - Here's what I've cooked up for the ipsec.d/ipsec-local.conf files. > No idea if they work, but hopefully will today: > > Laptop: > > # Debug: A comma separated list, e.g: dmn 3, ike 1, net -1. > # Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, > # net, asn, enc, lib, esp, tls, tnc, imc, imv, pts > # and the level is one of -1, 0, 1, 2, 3, 4 > #charondebug = <debug list> > #charondebug="cfg 2, dmn 2, ike 2, net 2" > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyexchange=ikev2 > # > https://lists.strongswan.org/pipermail/users/2015-April/007809.html > ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384! > esp=aes128gcm16-ntru256,aes256gcm16-ntru384! > dpdaction=restart > > conn vpn > left=%any > leftcert=quantumcert.pem > leftsourceip=%config > > right=192.168.1.2 > rightsubnet=192.168.1.0/24,10.0.0.0/24 > > auto=start > > > Left ipsec gateway (in LAN, beyond the router) > > # Debug: A comma separated list, e.g: dmn 3, ike 1, net -1. > # Acceptable values for types are dmn, mgr, ike, chd, job, cfg, knl, > # net, asn, enc, lib, esp, tls, tnc, imc, imv, pts > # and the level is one of -1, 0, 1, 2, 3, 4 > #charondebug = <debug list> > #charondebug="cfg 2, dmn 2, ike 2, net 2" > > conn %default > ikelifetime=60m > keylife=20m > rekeymargin=3m > keyexchange=ikev2 > # > https://lists.strongswan.org/pipermail/users/2015-April/007809.html > ike=aes128gcm16-prfsha256-ntru256,aes256gcm16-prfsha384-ntru384! > esp=aes128gcm16-ntru256,aes256gcm16-ntru384! > dpdaction=clear > > conn vpn > left=192.168.1.13 > leftcert=quantumcert.pem > leftsendcert=always > leftsubnet=192.168.1.0/24,10.0.0.0/24 > > right=%any > rightsourceip=192.168.1.2/32 > rightdns=192.168.1.1 > > auto=add > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
