Hi, On Tue, Dec 11, 2018 at 7:44 PM Tom Eastep <teas...@shorewall.net> wrote: > > On 12/11/18 3:10 PM, Alex wrote: > > Hi, > > I have a shorewall-5.2.0.4 system on fedora28 and have set it up with > > a few VPN connections. The problem I'm having is with how to instruct > > shorewall that there is a range of IPs behind the remote VPN endpoint > > (also a shorewall system) that should be considered as part of the > > VPN. > > > > For now I've added the IPs in the DMZ of the remote firewall to the > > vpn line in the hosts file, but I can't imagine that's correct, given > > it specifies the interface. > > > > Here's a list of all networks involved: > > > > 65.45.72.6 & 64.1.15.1: external and internal interface on cyclops > > (remote firewall) > > 68.194.193.42 & 192.168.1.1: external and internal interfaces on orion > > (local firewall) > > 107.155.66.2: remote Linux system > > 66.103.218.96/28: DMZ connected to cyclops > > 64.1.15.0/27: DMZ connected to cyclops > > > > 192.168.6.0/24: road warrior network connected to 68.195.193.42 > > 192.168.1.0/24: internal LAN > > > > Here is an example. The 64.1.15.3 IP is in the DMZ behind the remote > > firewall. This is a mail server trying to communicate with the mail > > server on the local shorewall firewall. > > > > [11440.214121] ext-fw REJECT IN=br0 OUT= > > MAC=0c:c4:7a:a9:18:de:a4:15:88:a9:30:b7:08:00 SRC=64.1.15.3 > > DST=68.194.193.42 LEN=60 TOS=0x00 PREC=0x00 TTL=50 ID=10192 DF > > PROTO=TCP SPT=52208 DPT=25 WINDOW=29200 RES=0x00 SYN URGP=0 > > > > Here is my local hosts file. > > vpn > > br0:192.168.6.0/24,192.168.1.0/24,65.45.72.6,64.1.15.0/27,68.194.193.42,66.103.218.96/28,107.155.66.2 > > ipsec > > > > Here is the output from 'shorewall dump' > > https://pastebin.com/e8gvjmFr > > > > The dump shows that there is no IPSec policy that covers 64.1.15.3 -> > 68.194.193.42. So this traffic is being treated as coming from the vpn > zone. This is an IPSEC configuration issue, not a Shorewall > configuration issue.
Can you explain where you see that the traffic is being treated as coming from the VPN zone? Can I define a VPN policy in shorewall that includes 64.1.15.0/28 and 66.103.218.0/27, the two ranges in the DMZ, in the same way I defined the 65.45.72.2 endpoint? Should I remove those ranges from the vpn entry in the shorewall hosts file? Thanks so much, Alex _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
