[Shorewall-newbies] VPN FYI
teastep at shorewall.net
Sun Mar 7 14:07:41 PST 2004
On Sun, 7 Mar 2004, Skip wrote:
> This is for anyone having trouble with a VPN behind Shorewall.
> I had been working on trying to get a VPN behind Shorewall to work for
> two days.
> Network was setup as 192.168.1.0/24
> Tried everything in the book to get it to work, nothing was working.
> I did a snoop on eth0 and the VPN was trying to go to 192.168.101.1,
> don't know if this was do to the firewall on the other end having
> 192.168.101.1 on qfe2 or what.
> So I changed the network behind Shorewall to 192.168.254.0/24
> DNAT net:checkpoint-firewall loc:192.168.254.2 esp -
> DNAT net:checkpoint-firewall loc:192.168.254.2 ah -
That line is unnecessary since AH doesn't work through NAT.
> DNAT net:checkpoint-firewall loc:192.168.254.2 udp isakmp
> VPN came up and started working.
> I am send this as a FYI so that someone else won't have to pull their
> hair out like I did.
Too bad you didn't check the Shorewall documenation -- in the
Documentation index under "VPN" is a link entitled "IPSEC/PPTP passthrough
from a system behind your firewall to a remote network". The above rules
are listed on that page.
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-newbies