[Shorewall-newbies] VPN FYI

Tom Eastep teastep at shorewall.net
Sun Mar 7 14:07:41 PST 2004

On Sun, 7 Mar 2004, Skip wrote:

> This is for anyone having trouble with a VPN behind Shorewall.
> I had been working on trying to get a VPN behind Shorewall to work for
> two days.
> Network was setup as
> Tried everything in the book to get it to work, nothing was working.
> I did a snoop on eth0 and the VPN was trying to go to,
> don't know if this was do to the firewall on the other end having
> on qfe2 or what.
> So I changed the network behind Shorewall to
> Added
> DNAT    net:checkpoint-firewall  loc:       esp     -
> -
> DNAT    net:checkpoint-firewall loc:       ah      -
> -

That line is unnecessary since AH doesn't work through NAT.

> DNAT    net:checkpoint-firewall  loc:       udp     isakmp
> -
> VPN came up and started working.
> I am send this as a FYI so that someone else won't have to pull their
> hair out like I did.

Too bad you didn't check the Shorewall documenation -- in the
Documentation index under "VPN" is a link entitled "IPSEC/PPTP passthrough
from a system behind your firewall to a remote network". The above rules
are listed on that page.

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net

More information about the Shorewall-newbies mailing list