[Shorewall-users] Shorewall, FreeS/WAN, and IPSEC

David Tilley david@t2bsolutions.com
Wed, 2 Jan 2002 05:54:56 -0800


>sample setups of freeswan working with shorewall?

I just implemented this a few days ago. In my case it was the simple
scenario of two private subnets (with different private network numbers!)
already equipped with Shorewall firewalls on which I added Freeswan. The
hardest part was being patient enough for the other end's firewall (a 486=
)
to compile the patched kernel. I basically followed the example in the
Shorewall doc:

http://www.shorewall.net/IPSEC.htm

and the referenced IPSEC info at:

http://jixen.tripod.com/


I used

kernel: 2.4.17
freeswan: 1.94
shorewall: 1.2.0

My shorewall config was taken directly from Tom's example at the URL abov=
e.
Some random points though:

 - I seem to recall earlier versions of the IPSEC.htm document had a typo=
'd
address in them.
 - I had commented out the Gateway zone in my /etc/shorewall/zones since =
I
wasn't previously using it. Things worked a lot better when I put it back
in. ;)
 - To avoid changing/testing two things at once, I temporarily changed bo=
th
ends Shorewall policy to "all   all   ACCEPT" just to make certain Shorew=
all
wouldn't get in the way. After I knew the IPSEC tunnel was working, I
changed the policy back to something sane.
 - Don't forget that in your Policy and Rules you now have a new zone 'gw=
'
to consider.

My IPSEC config was only slightly altered from the example at the URL abo=
ve.

 - I left 'interfaces=3D%defaultroute' so I could use the same file on bo=
th
ends
 - When the Freeswan installation created the RSA key pairs for me, the
public key was NOT in hex. Therefore, I dropped the leading '0x' shown in
the jixen.tripod.com example.
 - [left|right]nexthop is the respective machine's default gateway. Frees=
wan
needs this to set up routing correctly


I hope this helps,

dvt


_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users