Your advice has been very helpful and I've been able to get VPN working fine sans shorewall. I was having an asymmetric routing problem. Per the links you provided I am now having a traffic shaping problem. I've attached a dump. Note that I have setup route-based VPN using BGP so my tunnel interfaces are tun0 and tun1. I've ready read all of the ipsec docs multiple times along with some other stuff I found on the internet and this is what I arrived at:
zones:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
loc ipv4
vpn ipv4
interfaces:
#ZONE INTERFACE OPTIONS
net NET_IF
dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth1
loc LOC_IF tcpflags,nosmurfs,routefilter,logmartians,physical=eth0
vpn tun0,tun1
tunnels:
(is blank--sounds like this is deprecated)
rules:
(no rules for vpn since policy should handle)
policy:
#SOURCE DEST POLICY LOGLEVEL RATE CONNLIMIT
loc net ACCEPT
$FW net ACCEPT
net all DROP $LOG_LEVEL
# vpn traffic
vpn $FW,loc ACCEPT
$FW,loc vpn ACCEPT
# THE FOLOWING POLICY MUST BE LAST
all all REJECT $LOG_LEVEL
Admittedly, I've tried a bunch of stuff with policy with little effect. From
the logs it appears the inside IP addresses are being blocked, but I don't
understand why the policy file wouldn't handle opening that. Do I still need
some rules configured for this? That doesn't seem to make sense to me.
Thx! -john
On 10/3/18, 6:48 PM, "Tom Eastep" <teas...@shorewall.net> wrote:
On 10/03/2018 03:12 PM, John Peak via Shorewall-users wrote:
> First, THANK YOU Tom for making Shorewall and the rest of the team for
> supporting! I’ve used it for over 10 years and have been very happy.
>
>
>
> I’ve looked for weeks for an answer to this with no success. I suspect
> I’m at risk of getting flamed for being off-topic or missing an article
> but I’m not sure where to go. I’m trying to setup a site-to-site VPN
> using AWS, ipsec and Shorewall. I realized that some of my questions
> may be more AWS than Shorewall, but I’m honestly unclear on where the
> delineation exists. I would be glad to write-up a How-To once I get
> this figured out.
>
>
>
> Situation:
>
> * I have successfully setup a VPN connection using StrongSwan between
> my local network (Customer Gateway) and AWS (Virtual Private
> Gateway) using this article:
>
https://aravindkrishnaswamy.wordpress.com/2014/11/26/site-to-site-vpn-between-openvpn-and-aws/.
> It shows that the VPN connection is “UP”. The VPN connection and
> public IP all run over my “eth1” interface. “eth0” is my internal
> subnet.
> * I have Shorewall setup on my Customer Gateway box with standard
> rules for my network. I augmented these by following this article:
>
https://danielpocock.com/practical-linux-vpns-with-strongswan-shorewall-and-openwrt,
> without it making any apparent difference.
> * When I attempt to ping the Customer Gateway (on 192.168.90.0/24)
> from an AWS EC2 instance (10.0.0.0/16) it tells me “From
> 192.168.90.1 icmp_seq=1 Destination Host Unreachable”. This tells
> me that the gateway on my local network is responding.
No, it doesn't.
> * This falls into the “local-gateway-to-remote-gateway” configuration
> and I have read all of the related articles (VPNBasics, IPSec) with
> no clear use-case that maps to mine.
>
>
>
> My questions:
>
> * I do not have specific VPN interfaces like “vti0” associated with
> the VPN. StrongSwan has simply established a VPN tunnel over UDP to
> the Remote Gateway at AWS. Should I somehow create these and what
> is the proper way?
No -- Since kernel 2.6, there is no special interface created by IPSEC.
> If not, what is the correct way for Shorewall to
> recognize that I have both local traffic going to the internet AND
> traffic destined for the remote network going over the tunnel all on
> the same “eth1” interface?
The IPSEC-2.6 article (http://www.shorewall.org/IPSEC-2.6.html) covers
this configuration. See the answer to your next question for additional
clarification.
> * I recognized that at least part of my problem is setting up routing
> properly.
That is unlikely. IPSEC is parallel to routing. Traffic to be handled by
IPSEC is initially routed via the standard routing tables, which usually
means that it will be routed out of your eth1 interface. The IP stack,
however, understands that this traffic is going to be handled by IPSEC,
and Shorewall generates rules using the IPSEC 'policy' match to apply
rules that apply to traffic that is being sent to the appropriate
'ipsec' zone.
Rather than sending the traffic directly out of eth1, the IP stack
consults the IPSEC Security Policy Database (SPD) and Security
Association Database (SAD) and encrypts/encapsulates the traffic and
sends it to the appropriate remote gateway.
> AWS provides a config file that references the “Inside IP
> addresses”, which is a /30 CIDR block and the next hop address.
> I’ve tried creating routes on the Customer Gateway doing stuff like
> “ip route add 169.254.24.1/32 via 18.111.233.123 dev eth1” but none
> work. Most say “invalid argument” or “network unreachable”. Should
> Shorewall be configured to somehow manage routing? Should I be
> configuring this elsewhere with a way for Shorewall to recognized
> that it exists?
>
> Any ideas on how to troubleshoot or what my overall Shorewall and/or
> network configuration are much appreciated.
>
My advice is to first get IPSEC working without Shorewall, such that
traffic between AWS and your local network is flowing. THEN add
Shorewall. If you do it that way, then any problems that arise when
adding Shorewall represent Shorewall configuration issues. If you reach
that point and things stop working, then please submit a Shorewall dump
as described at http://www.shorewall.org/support.htm#Guidelines
-Tom
--
Tom Eastep \ Q: What do you get when you cross a mobster with
Shoreline, \ an international standard?
Washington, USA \ A: Someone who makes you an offer you can't
http://shorewall.org \ understand
\_______________________________________________
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
shoreall_dump.tgz
Description: Binary data
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
