[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

gary ng garyng2000 at yahoo.com
Thu Dec 18 15:18:07 PST 2003


I am trying to setup a machine which has one public
static ip running shorewall as a hub/relay for
openvpn+ipsec(I would try to explain why I need two)
serving a number of road warriors.

The machine is rented from an VDS(virtual dedicated
server) provider running UML.If I just run ipsec or
openvpn, the machine is an end point(things got
decrypted at that point before routing) and is
subjected to sniffing by the provider(though the
chance is remote).

So I use openvpn to create a first level
VPN( which is quite simple as this is
essentially a 2+ interface setup(eth0, tap*). The road
warriors once established a connection to openvpn on
the server, they are on the sub-net. BTW,
is there a way to simplify the policy/rules such that
I don't have to say tap0, tap1, tap2 ... and just give
it a range like ?

If they want to establish an ipsec tunnel among them,
it should be pretty straight forward too.

Now I can have an ipsec VPN on top of openvpn VPN and
things are running as expected.

The part that I don't know how to do is to run an
freeswan gateway behind this public server(connected
through openvpn as say such that when any
machine wants to start an ipsec tunnel to the public
ip address(say, it would be directed to I can DNAT the two ports for
authentication/encryption(50,500?) to but is
that all I need? How about having initiate
ipsec tunnel to other machines on the internet ? Since
this( needs SNAT and it seems that freeswan
does not like NAT(both direction?) very much.

thanks for any pointers/suggestion in advance. 



Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard

More information about the Shorewall-newbies mailing list