[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

Tom Eastep teastep at shorewall.net
Fri Dec 19 11:27:47 PST 2003


On Thursday 18 December 2003 06:27 pm, gary ng wrote:
> > You can use 'tap+' to refer to all tap devices any
> > place that an interface
> > name is allowed in Shorewall config files.
>
> thanks and below is the topology which hopefully
> you can understand.
>
>
> rest of the   <------------------------|
> world         <   internet             |
>               <                        V
> ipsec gateway <------------------->  hub/shorewall
>     ^        \__openvpn(UDP 5000)__/(69.56.237.100)
>
>     |           (10.0.1.10 )            |
>
>     V                                   |
>     ------------------------------------|
>   (forward all ipsec stuff to 10.0.1.10
>    which is tunneled through openvpn and
>    vice versa)
>
> the only public static ip is 69.56.237.100
>

I'm still lost. 

In general, you can use DNAT on ipsec provided that you are using ESP 
(protocol 50) rather than AH (protocol 51). 

The means for doing so are documented at http://www.shorewall.net/VPN.htm.

Hope that helps. If not, I would post on shorewall-users at lists.shorewall.net 
-- there are likely to be more folks there that are knowledgable regarding 
VPN than on this list.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-newbies mailing list