[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

Tom Eastep teastep at shorewall.net
Thu Dec 18 16:46:41 PST 2003

On Thu, 18 Dec 2003, gary ng wrote:

> BTW, is there a way to simplify the policy/rules such that I don't have
> to say tap0, tap1, tap2 ... and just give it a range like ?

You can use 'tap+' to refer to all tap devices any place that an interface
name is allowed in Shorewall config files.

> If they want to establish an ipsec tunnel among them,
> it should be pretty straight forward too.
> Now I can have an ipsec VPN on top of openvpn VPN and
> things are running as expected.
> The part that I don't know how to do is to run an
> freeswan gateway behind this public server(connected
> through openvpn as say such that when any
> machine wants to start an ipsec tunnel to the public
> ip address(say, it would be directed to
> I can DNAT the two ports for
> authentication/encryption(50,500?) to but is
> that all I need? How about having initiate
> ipsec tunnel to other machines on the internet ? Since
> this( needs SNAT and it seems that freeswan
> does not like NAT(both direction?) very much.
> thanks for any pointers/suggestion in advance.

Can you draw us some ASCII art? I'm confused about your network topology.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list