-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 3/17/20 2:39 PM, Andrey Andreev wrote: > Hi! I am attempting to configure IPSec tunnel between LOCAL > (LibreSwan3.29, Fedora31 kernel 5.5.7) and REMOTE (Windows server). > Below are distilled LAN & WAN IP on both sides. LOCAL SIDE > REMOTE SIDE LAN range 12.12.12.12/29 - WAN 11.11.11.11 ~~~ > 10.10.10.10 WAN - 9.9.9.9 one LAN IP > > openVPN server is configured on the LOCAL SIDE for road warriors, > working fine. Reading https://shorewall.org/IPSEC-2.6.html and > https://shorewall.org/IPSEC.htm I edited Shorewall 5.2 config > files in order to add IPSec: > > 1. /etc/shorewall/zones sec ipv4 # for IPSec vpn > ipv4 # for openVPN > > 2. /etc/shorewall/hosts sec enp2s0:9.9.9.9 > ipsec # the only LAN IP on remote side > > 3. /etc/shorewall/interfaces - no change in new > kernels – ??? net enp2s0 dhcp,wait=10 loc > eno1 vpn tun+ > > 4. /etc/shorewall/tunnels openvpnserver:udp:1198 net > 0.0.0.0/0 #for openVPN server ipsec > net 10.10.10.10 #for IPsec: WAN IP on remote side > > 5. /etc/shorewall/snat SNAT(11.11.11.11) 0.0.0.0/0 > enp2s0 # local server WAN IP (for openVPN) SNAT(!9.9.9.9) > 12.12.12.12/29 enp2s0 # exclude IPSec traffic: 9.9.9.9 - > the only LAN IP on remote side (for IPSec) ???? # exclude > IPSec traffic: 12.12.12.12/29 - LAN IP range on the local side > (for IPSec) Second line is not accepted – invalid IP 9.9.9.9 > Examples touch /etc/shorewall/masq file, do not know what is > correct to insert in /etc/shorewall/snat > > 6. /etc/shorewall/policy $FW vpn ACCEPT loc > vpn ACCEPT vpn $FW ACCEPT vpn loc > ACCEPT loc sec ACCEPT sec loc ACCEPT > sec $FW ACCEPT $FW sec ACCEPT net > sec ACCEPT - is this needed ???? > > 7. /etc/shorewall/rules ACCEPT net $FW tcp > 50 ACCEPT net $FW tcp 51 ACCEPT > net $FW udp 500 ACCEPT net > $FW udp 4500 > > > Below is LibreSwan config file with PSF, set according to REMOTE > SIDE requirements, just in case: > > config setup protostack=netkey ikeport=500 nat-ikeport=4500 > secretsfile=/etc/ipsec.secrets > > conn miel-am left=11.11.11.11 right=10.10.10.10 > leftsubnet=12.12.12.12/29 rightsubnet=9.9.9.9/32 auto=start > dpddelay=10 dpdtimeout=60 dpdaction=restart keyingtries=%forever > ikev2=no keyexchange=ike type=tunnel authby=secret > ike=3des-sha1;modp1024 phase2=esp phase2alg=3des-sha1;modp1024 > pfs=yes aggressive=no ikelifetime=36000 salifetime=28800 > > > Something is messed up. Could You use the red pen to correct my > Shorewall configuration? >
I am afraid I can't be of much help without some additional information: - - The output of 'shorewall check -T' (you can obfuscate the IP address if you must, but I suspect that it might be the issue) - - The output of 'shorewall version' (Surprisingly, Shorewall has changed a lot over the 20 years that it has been in the field) I suspect, however, that the error you are seeing has nothing to do with your IPSec configuration. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster Shoreline, \ with an international standard? Washington, USA \ A: Someone who makes you an offer you http://shorewall.org \ can't understand \________________________________________ -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIzBAEBCgAdFiEEFNMNR63CLO6yqbL8luaz8kI6TRAFAl5xdYUACgkQluaz8kI6 TRCtTg/8CrtHBv/+AaLSEv58ZLpVWy7C4WKA0d8NA9V18KdtLQCL+XB1Qp5EUUOh 4LqE/53qzjflJSj7pzsH0MZUfsSKZQ0ATg7+EiYidte/brxqctM3WSqDNZdRqkNq xG/7VUQ6qFhEBMt+tqm/laBuLqAmbn8GmE+pIozXqazaYgjFwbhXQSVMoHgOrELC uVWF7FtJMlnDSBzeDRcFcW0Uci3zsDWMEK0x1dzc6tWR7cR6F86sPrKMIUhkvKY0 zldKqnldBbPo3lKfNzyY4vTy3KO4qSoKvtS21LhOwZdLWClAtVtZsqNA0y8WBhWj gNzninqld7XLs7GW5RbQu/pjCIf6GPe5lArr/Elr8JoBjoKgGndSryF6hyZ4Ttfg eQecj0O8S1QYWoZvkp4vUyLw98qlu/m0aE1udDBgOg//0e6cpP6uClalY+3B0ax+ bvlvEwc+oWExpvSsPRUHuJQuJqG14larfjkYteA8gFmRn/zykWG0IPLNjAEtWOnX 8PdMLOSrKgn7WL3APbildeD0HrL6jdjS6wuV+AgFdg0CgRtuFcJofpHZE/H7eBA2 hIlHm4nLCr5bEMcNUy+QBBYEWpWo5teZp/cOY5CBN+CeShMB4hkDQOVajWlcca4Z HNJ7qjEO4t5RyhkYgPw1SaI6+YmqebS78IBmPfwhaTOJ7v9+b0E= =fRcZ -----END PGP SIGNATURE----- _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
