-----Original Message-----
From: Tom Eastep
Sent: Wednesday, March 18, 2020 3:12 AM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Shorewall settings for IPSec & openVPN
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 3/17/20 2:39 PM, Andrey Andreev wrote:
Hi! I am attempting to configure IPSec tunnel between LOCAL
(LibreSwan3.29, Fedora31 kernel 5.5.7) and REMOTE (Windows server).
Below are distilled LAN & WAN IP on both sides. LOCAL SIDE
REMOTE SIDE LAN range 12.12.12.12/29 - WAN 11.11.11.11 ~~~
10.10.10.10 WAN - 9.9.9.9 one LAN IP
openVPN server is configured on the LOCAL SIDE for road warriors,
working fine. Reading https://shorewall.org/IPSEC-2.6.html and
https://shorewall.org/IPSEC.htm I edited Shorewall 5.2 config
files in order to add IPSec:
1. /etc/shorewall/zones sec ipv4 # for IPSec vpn
ipv4 # for openVPN
2. /etc/shorewall/hosts sec enp2s0:9.9.9.9
ipsec # the only LAN IP on remote side
3. /etc/shorewall/interfaces - no change in new
kernels – ??? net enp2s0 dhcp,wait=10 loc
eno1 vpn tun+
4. /etc/shorewall/tunnels openvpnserver:udp:1198 net
0.0.0.0/0 #for openVPN server ipsec
net 10.10.10.10 #for IPsec: WAN IP on remote side
5. /etc/shorewall/snat SNAT(11.11.11.11) 0.0.0.0/0
enp2s0 # local server WAN IP (for openVPN) SNAT(!9.9.9.9)
12.12.12.12/29 enp2s0 # exclude IPSec traffic: 9.9.9.9 -
the only LAN IP on remote side (for IPSec) ???? # exclude
IPSec traffic: 12.12.12.12/29 - LAN IP range on the local side
(for IPSec) Second line is not accepted – invalid IP 9.9.9.9
Examples touch /etc/shorewall/masq file, do not know what is
correct to insert in /etc/shorewall/snat
6. /etc/shorewall/policy $FW vpn ACCEPT loc
vpn ACCEPT vpn $FW ACCEPT vpn loc
ACCEPT loc sec ACCEPT sec loc ACCEPT
sec $FW ACCEPT $FW sec ACCEPT net
sec ACCEPT - is this needed ????
7. /etc/shorewall/rules ACCEPT net $FW tcp
50 ACCEPT net $FW tcp 51 ACCEPT
net $FW udp 500 ACCEPT net
$FW udp 4500
Below is LibreSwan config file with PSF, set according to REMOTE
SIDE requirements, just in case:
config setup protostack=netkey ikeport=500 nat-ikeport=4500
secretsfile=/etc/ipsec.secrets
conn miel-am left=11.11.11.11 right=10.10.10.10
leftsubnet=12.12.12.12/29 rightsubnet=9.9.9.9/32 auto=start
dpddelay=10 dpdtimeout=60 dpdaction=restart keyingtries=%forever
ikev2=no keyexchange=ike type=tunnel authby=secret
ike=3des-sha1;modp1024 phase2=esp phase2alg=3des-sha1;modp1024
pfs=yes aggressive=no ikelifetime=36000 salifetime=28800
Something is messed up. Could You use the red pen to correct my
Shorewall configuration?
I am afraid I can't be of much help without some additional information:
- - The output of 'shorewall check -T' (you can obfuscate the IP address
if you must, but I suspect that it might be the issue)
- - The output of 'shorewall version' (Surprisingly, Shorewall has
changed a lot over the 20 years that it has been in the field)
I suspect, however, that the error you are seeing has nothing to do
with your IPSec configuration.
- -Tom
- --
Tom Eastep \ Q: What do you get when you cross a mobster
Shoreline, \ with an international standard?
Washington, USA \ A: Someone who makes you an offer you
http://shorewall.org \ can't understand
\________________________________________
Here is the output, no IPs in it to hide:
[root@server ~]# shorewall check -T
Checking using Shorewall 5.2.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/snat...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking /etc/shorewall/tunnels...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified
[root@server ~]# shorewall version
5.2.2
In /etc/shorewall/snat line#2:
SNAT(!9.9.9.9) 12.12.12.12/29 enp2s0
is hashed, shorewall does not start with it.
I feel I miss something. The documentation deals with old versions of linux
kernel while Fedora is updating very often.
I will provide any other info which might be needed.
Thanks for Your response.
Andrey
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
