[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

gary ng garyng2000 at yahoo.com
Thu Dec 18 18:27:34 PST 2003


> You can use 'tap+' to refer to all tap devices any
> place that an interface
> name is allowed in Shorewall config files.
thanks and below is the topology which hopefully
you can understand.

                      
rest of the   <------------------------|
world         <   internet             |
              <                        V  
ipsec gateway <------------------->  hub/shorewall 
    ^        \__openvpn(UDP 5000)__/(69.56.237.100)
    |           (10.0.1.10 )            |
    |                                   | 
    V                                   |
    ------------------------------------|
  (forward all ipsec stuff to 10.0.1.10
   which is tunneled through openvpn and 
   vice versa)

the only public static ip is 69.56.237.100

--- Tom Eastep <teastep at shorewall.net> wrote:
> On Thu, 18 Dec 2003, gary ng wrote:
> 
> > BTW, is there a way to simplify the policy/rules
> such that I don't have
> > to say tap0, tap1, tap2 ... and just give it a
> range like 10.0.1.0/24 ?
> 
> You can use 'tap+' to refer to all tap devices any
> place that an interface
> name is allowed in Shorewall config files.
> 
> >
> > If they want to establish an ipsec tunnel among
> them,
> > it should be pretty straight forward too.
> >
> > Now I can have an ipsec VPN on top of openvpn VPN
> and
> > things are running as expected.
> >
> > The part that I don't know how to do is to run an
> > freeswan gateway behind this public
> server(connected
> > through openvpn as say 10.0.1.10) such that when
> any
> > machine wants to start an ipsec tunnel to the
> public
> > ip address(say 69.56.237.100), it would be
> directed to
> > 10.0.1.10. I can DNAT the two ports for
> > authentication/encryption(50,500?) to 10.0.1.10
> but is
> > that all I need? How about having 10.0.1.10
> initiate
> > ipsec tunnel to other machines on the internet ?
> Since
> > this(10.0.1.10) needs SNAT and it seems that
> freeswan
> > does not like NAT(both direction?) very much.
> >
> > thanks for any pointers/suggestion in advance.
> >
> 
> Can you draw us some ASCII art? I'm confused about
> your network topology.
> 
> Thanks,
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep at shorewall.net


__________________________________
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard
http://antispam.yahoo.com/whatsnewfree


More information about the Shorewall-newbies mailing list