[Shorewall-newbies] VPN FYI

Tom Eastep teastep at shorewall.net
Sun Mar 7 14:07:41 PST 2004


On Sun, 7 Mar 2004, Skip wrote:

> This is for anyone having trouble with a VPN behind Shorewall.
> I had been working on trying to get a VPN behind Shorewall to work for
> two days.
> Network was setup as 192.168.1.0/24
> Tried everything in the book to get it to work, nothing was working.
> I did a snoop on eth0 and the VPN was trying to go to 192.168.101.1,
> don't know if this was do to the firewall on the other end having
> 192.168.101.1 on qfe2 or what.
> So I changed the network behind Shorewall to 192.168.254.0/24
> Added
> DNAT    net:checkpoint-firewall  loc:192.168.254.2       esp     -
> -
> DNAT    net:checkpoint-firewall loc:192.168.254.2       ah      -
> -

That line is unnecessary since AH doesn't work through NAT.

> DNAT    net:checkpoint-firewall  loc:192.168.254.2       udp     isakmp
> -
> VPN came up and started working.
> I am send this as a FYI so that someone else won't have to pull their
> hair out like I did.
>

Too bad you didn't check the Shorewall documenation -- in the
Documentation index under "VPN" is a link entitled "IPSEC/PPTP passthrough
from a system behind your firewall to a remote network". The above rules
are listed on that page.

-Tom
--
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net


More information about the Shorewall-newbies mailing list