[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

Tom Eastep teastep at shorewall.net
Thu Dec 18 16:46:41 PST 2003


On Thu, 18 Dec 2003, gary ng wrote:

> BTW, is there a way to simplify the policy/rules such that I don't have
> to say tap0, tap1, tap2 ... and just give it a range like 10.0.1.0/24 ?

You can use 'tap+' to refer to all tap devices any place that an interface
name is allowed in Shorewall config files.

>
> If they want to establish an ipsec tunnel among them,
> it should be pretty straight forward too.
>
> Now I can have an ipsec VPN on top of openvpn VPN and
> things are running as expected.
>
> The part that I don't know how to do is to run an
> freeswan gateway behind this public server(connected
> through openvpn as say 10.0.1.10) such that when any
> machine wants to start an ipsec tunnel to the public
> ip address(say 69.56.237.100), it would be directed to
> 10.0.1.10. I can DNAT the two ports for
> authentication/encryption(50,500?) to 10.0.1.10 but is
> that all I need? How about having 10.0.1.10 initiate
> ipsec tunnel to other machines on the internet ? Since
> this(10.0.1.10) needs SNAT and it seems that freeswan
> does not like NAT(both direction?) very much.
>
> thanks for any pointers/suggestion in advance.
>

Can you draw us some ASCII art? I'm confused about your network topology.

Thanks,
-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-newbies mailing list