Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

Wed, 18 Mar 2020 13:55:26 -0700 



-----Original Message----- 
From: Tom Eastep

Sent: Wednesday, March 18, 2020 10:31 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] Shorewall settings for IPSec & openVPN

On 3/18/20 1:13 PM, Andrey Andreev wrote:

am beginning to get it, it is the waterfall situation. So I have to
exchange lines order to:

/etc/shorewall/snat
SNAT(!9.9.9.9)  12.12.12.12/29 enp2s0       # exclude IPSec traffic:
9.9.9.9
SNAT(11.11.11.11)    0.0.0.0/0  enp2s0       # local server WAN IP

Tomorrow will test it at the site.
What is the effect of line 1 above: "All traffic only from LAN range
12.12.12.12/29 going out of enp2s0 will have its source changed to 'not
9.9.9.9' " ??
LAN range 12.12.12.12/29 needs IPSec & internet, what happens to the
outgoing traffic which should not be tunneled?


The effect will be that you will get an error:

ERROR: Invalid IP Address (!9.9.9.9) /etc/shorewall/snat (line 10)

I had overlooked that you were using address exclusion.

What are you trying to accomplish? If you don't want IPSEC traffic to be
SNATed, the proper thing is to have this single rule:

SNAT(11.11.11.11) 0.0.0.0/0   enp2s0

By default, Shorewall creates an iptables rule that excludes IPSEC
traffic, unless you have something other than '-' in the IPSEC column.

-Tom
--
Tom Eastep        \ Q: What do you get when you cross a mobster
Shoreline,         \    with an international standard?
Washington, USA     \ A: Someone who makes you an offer you
http://shorewall.org \    can't understand
                     \________________________________________


I follow the instructions (see attached screenshot) in 
https://shorewall.org/IPSEC.htm

/etc/shorewall/masq - System A
#INTERFACE            SOURCE                ADDRESS
eth0:!10.0.0.0/8      192.168.1.0/24

And decided that   eth0:!9.9.9.9 ==> SNAT(!9.9.9.9)


No IPSec examples in snat paper on 
https://shorewall.org/manpages/shorewall-snat.html

Sorry for my "monkey" action.
So I will leave in snat file just this single line:
SNAT(11.11.11.11) 0.0.0.0/0   enp2s0

Thanks for the help!

Andrey





_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to