Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

Wed, 18 Mar 2020 11:36:26 -0700 




-----Original Message----- 
From: Tom Eastep

Sent: Wednesday, March 18, 2020 8:25 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

On 3/18/2020 11:01 AM, Andrey Andreev wrote:

As I have explained, shorewall does not start with this line in SNAT
unhashed. The error shown with 'systemctl shorewall status' after
unsuccessful shorewall restart is something like:
.... cannot start, unrecognized record in /etc/shorewall/snat line #...
The record was even listed: SNAT(!==IP==).
I am afraid to repeat this situation again as the connection may die out
and I should run to the place to fix it.

IPSec tunnel is working, I presume, in 'ipsec whack --status' connection
list shows:
  Total IPsec connections: loaded 1, active 1
The tunnel is not routed to the LAN IP range however.


Simply uncomment the record and run 'shorewall check'. Since the message
refers to a particular line in the snat file, it has to be coming from
the compiler. And if 'shorewall check' doesn't produce the message, then
try 'shorewall compile foo'.

And be sure to comment the record after testing.

-Tom
--
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                     \________________________________________

Done. Uncommented line is:
SNAT(!10.30.14.17)    192.168.126.200/29    enp2s0   # exclude IPSec traffic

10.30.14.17                - LAN IP of the far end IPSec server, behind NAT
192.168.126.200/29  - LAN IP range behind my IPSec server

[root@server ~]# shorewall check
Checking using Shorewall 5.2.2...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/snat...

  WARNING: Interface enp2s0 entry generated no iptables rule 
/etc/shorewall/snat (line 11)

Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking /etc/shorewall/tunnels...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Shorewall configuration verified








_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to