[Shorewall-newbies] shorewall as a 'hub/relay' for openvpn/ipsec ?

gary ng garyng2000 at yahoo.com
Fri Dec 19 12:26:00 PST 2003


I may have complicated the matter. I have done some
more reading about IPSEC and it seems that it is UDP
500, and protocol 50,51(ESP,AH) that needs to be
DNATed to my machine of choice. Is this the equvilent
of 'ipsec passthru' that people are talking about ?

I was thinking about DMZ( that is every incoming
packet to eth0:69.56.237.100 will be forwarded to
10.0.1.10) which is pretty standard like a 2 NIC
setup(eth0,eth1). The only difference seems to be that
it is (eth0,tap+) instead and tap+ still depends on
eth0(running on top of it through UDP 5000+).

So it becomes, how would I specify the rules which
essentially means :

For all packets coming from eth0, forward to tap0(this
becomes the DMZ server) EXCEPT UDP 5000 which nothing
should be done as the openvpn daemon on the firewall
machine would handle it.

--- Tom Eastep <teastep at shorewall.net> wrote:
> On Thursday 18 December 2003 06:27 pm, gary ng
> wrote:
> > > You can use 'tap+' to refer to all tap devices
> any
> > > place that an interface
> > > name is allowed in Shorewall config files.
> >
> > thanks and below is the topology which hopefully
> > you can understand.
> >
> >
> > rest of the   <------------------------|
> > world         <   internet             |
> >               <                        V
> > ipsec gateway <------------------->  hub/shorewall
> >     ^        \__openvpn(UDP
> 5000)__/(69.56.237.100)
> >
> >     |           (10.0.1.10 )            |
> >
> >     V                                   |
> >     ------------------------------------|
> >   (forward all ipsec stuff to 10.0.1.10
> >    which is tunneled through openvpn and
> >    vice versa)
> >
> > the only public static ip is 69.56.237.100
> >
> 
> I'm still lost. 
> 
> In general, you can use DNAT on ipsec provided that
> you are using ESP 
> (protocol 50) rather than AH (protocol 51). 
> 
> The means for doing so are documented at
> http://www.shorewall.net/VPN.htm.
> 
> Hope that helps. If not, I would post on
> shorewall-users at lists.shorewall.net 
> -- there are likely to be more folks there that are
> knowledgable regarding 
> VPN than on this list.
> 
> -Tom
> -- 
> Tom Eastep    \ Nothing is foolproof to a
> sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep at shorewall.net
> 
> 


__________________________________
Do you Yahoo!?
New Yahoo! Photos - easier uploading and sharing.
http://photos.yahoo.com/


More information about the Shorewall-newbies mailing list