Hi, I have a shorewall-5.2.0.4 system on fedora28 and have set it up with a few VPN connections. The problem I'm having is with how to instruct shorewall that there is a range of IPs behind the remote VPN endpoint (also a shorewall system) that should be considered as part of the VPN.
For now I've added the IPs in the DMZ of the remote firewall to the vpn line in the hosts file, but I can't imagine that's correct, given it specifies the interface. Here's a list of all networks involved: 65.45.72.6 & 64.1.15.1: external and internal interface on cyclops (remote firewall) 68.194.193.42 & 192.168.1.1: external and internal interfaces on orion (local firewall) 107.155.66.2: remote Linux system 66.103.218.96/28: DMZ connected to cyclops 64.1.15.0/27: DMZ connected to cyclops 192.168.6.0/24: road warrior network connected to 68.195.193.42 192.168.1.0/24: internal LAN Here is an example. The 64.1.15.3 IP is in the DMZ behind the remote firewall. This is a mail server trying to communicate with the mail server on the local shorewall firewall. [11440.214121] ext-fw REJECT IN=br0 OUT= MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=64.1.15.3 DST=68.194.193.42 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=10192 DF PROTO=TCP SPT=52208 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 Here is my local hosts file. vpn br0:192.168.6.0/24,192.168.1.0/24,65.45.72.6,64.1.15.0/27,68.194.193.42,66.103.218.96/28,107.155.66.2 ipsec Here is the output from 'shorewall dump' https://pastebin.com/e8gvjmFr Thanks, Alex _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
