[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?
teastep at shorewall.net
Thu Dec 18 16:46:41 PST 2003
On Thu, 18 Dec 2003, gary ng wrote:
> BTW, is there a way to simplify the policy/rules such that I don't have
> to say tap0, tap1, tap2 ... and just give it a range like 10.0.1.0/24 ?
You can use 'tap+' to refer to all tap devices any place that an interface
name is allowed in Shorewall config files.
> If they want to establish an ipsec tunnel among them,
> it should be pretty straight forward too.
> Now I can have an ipsec VPN on top of openvpn VPN and
> things are running as expected.
> The part that I don't know how to do is to run an
> freeswan gateway behind this public server(connected
> through openvpn as say 10.0.1.10) such that when any
> machine wants to start an ipsec tunnel to the public
> ip address(say 188.8.131.52), it would be directed to
> 10.0.1.10. I can DNAT the two ports for
> authentication/encryption(50,500?) to 10.0.1.10 but is
> that all I need? How about having 10.0.1.10 initiate
> ipsec tunnel to other machines on the internet ? Since
> this(10.0.1.10) needs SNAT and it seems that freeswan
> does not like NAT(both direction?) very much.
> thanks for any pointers/suggestion in advance.
Can you draw us some ASCII art? I'm confused about your network topology.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies