[Shorewall-users] Shorewall settings for IPSec & openVPN

Tue, 17 Mar 2020 15:06:50 -0700 

Hi!
I am attempting to configure IPSec tunnel between LOCAL (LibreSwan3.29, 
Fedora31 kernel 5.5.7) and REMOTE (Windows server). Below are distilled LAN & 
WAN IP on both sides. 
LOCAL SIDE                                                            REMOTE 
SIDE
LAN range 12.12.12.12/29 - WAN 11.11.11.11 ~~~ 10.10.10.10 WAN - 9.9.9.9 one 
LAN IP

openVPN server is configured on the LOCAL SIDE for road warriors, working fine.
Reading  https://shorewall.org/IPSEC-2.6.html  and   
https://shorewall.org/IPSEC.htm  I edited Shorewall 5.2 config files in order 
to add IPSec: 

1. /etc/shorewall/zones
sec        ipv4    # for IPSec
vpn        ipv4    # for openVPN

2. /etc/shorewall/hosts
sec          enp2s0:9.9.9.9            ipsec        #  the only LAN IP on 
remote side

3. /etc/shorewall/interfaces                  -  no change in new kernels – ???
net        enp2s0            dhcp,wait=10
loc        eno1
vpn        tun+

4. /etc/shorewall/tunnels
openvpnserver:udp:1198        net        0.0.0.0/0       #for openVPN server 
ipsec                                   net        10.10.10.10   #for IPsec:  
WAN IP on remote side

5. /etc/shorewall/snat 
SNAT(11.11.11.11)    0.0.0.0/0          enp2s0       # local server WAN IP (for 
openVPN)
SNAT(!9.9.9.9)        12.12.12.12/29    enp2s0       # exclude IPSec traffic: 
9.9.9.9 - the only LAN IP on remote side  (for IPSec)       ????
                                                 # exclude IPSec traffic: 
12.12.12.12/29 - LAN IP range on the local side (for IPSec)                     
                            
Second line is not accepted – invalid IP 9.9.9.9  Examples touch 
/etc/shorewall/masq file, do not know what is correct to insert in 
/etc/shorewall/snat 
                                 
6. /etc/shorewall/policy
$FW        vpn        ACCEPT
loc        vpn        ACCEPT
vpn        $FW        ACCEPT
vpn        loc        ACCEPT
loc        sec        ACCEPT
sec        loc        ACCEPT
sec        $FW        ACCEPT
$FW        sec        ACCEPT
net        sec        ACCEPT        -   is this needed ????

7. /etc/shorewall/rules
ACCEPT        net            $FW        tcp    50
ACCEPT        net            $FW        tcp    51
ACCEPT        net            $FW        udp    500
ACCEPT        net            $FW        udp    4500


Below is LibreSwan config file with PSF, set according to REMOTE SIDE 
requirements, just in case:

config setup
    protostack=netkey
    ikeport=500
    nat-ikeport=4500
    secretsfile=/etc/ipsec.secrets

conn miel-am 
    left=11.11.11.11
    right=10.10.10.10
    leftsubnet=12.12.12.12/29
    rightsubnet=9.9.9.9/32
    auto=start
    dpddelay=10 
    dpdtimeout=60 
    dpdaction=restart
    keyingtries=%forever
    ikev2=no
    keyexchange=ike
    type=tunnel
    authby=secret
    ike=3des-sha1;modp1024
    phase2=esp
    phase2alg=3des-sha1;modp1024
    pfs=yes
    aggressive=no
    ikelifetime=36000
    salifetime=28800


Something is messed up. Could You use the red pen to correct my Shorewall 
configuration?

Best regards!

Andrey
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to