[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

gary ng garyng2000 at yahoo.com
Thu Dec 18 15:18:07 PST 2003


Hi,

I am trying to setup a machine which has one public
static ip running shorewall as a hub/relay for
openvpn+ipsec(I would try to explain why I need two)
serving a number of road warriors.

The machine is rented from an VDS(virtual dedicated
server) provider running UML.If I just run ipsec or
openvpn, the machine is an end point(things got
decrypted at that point before routing) and is
subjected to sniffing by the provider(though the
chance is remote).

So I use openvpn to create a first level
VPN(10.0.1.0/24) which is quite simple as this is
essentially a 2+ interface setup(eth0, tap*). The road
warriors once established a connection to openvpn on
the server, they are on the 10.0.1.0/24 sub-net. BTW,
is there a way to simplify the policy/rules such that
I don't have to say tap0, tap1, tap2 ... and just give
it a range like 10.0.1.0/24 ?

If they want to establish an ipsec tunnel among them,
it should be pretty straight forward too.

Now I can have an ipsec VPN on top of openvpn VPN and
things are running as expected.

The part that I don't know how to do is to run an
freeswan gateway behind this public server(connected
through openvpn as say 10.0.1.10) such that when any
machine wants to start an ipsec tunnel to the public
ip address(say 69.56.237.100), it would be directed to
10.0.1.10. I can DNAT the two ports for
authentication/encryption(50,500?) to 10.0.1.10 but is
that all I need? How about having 10.0.1.10 initiate
ipsec tunnel to other machines on the internet ? Since
this(10.0.1.10) needs SNAT and it seems that freeswan
does not like NAT(both direction?) very much.

thanks for any pointers/suggestion in advance. 

regards,

gary

__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree


More information about the Shorewall-newbies mailing list