[Shorewall-users] Shorewall, FreeS/WAN, and IPSEC

David Tilley david@t2bsolutions.com
Wed, 2 Jan 2002 05:54:56 -0800

>sample setups of freeswan working with shorewall?

I just implemented this a few days ago. In my case it was the simple
scenario of two private subnets (with different private network numbers!)
already equipped with Shorewall firewalls on which I added Freeswan. The
hardest part was being patient enough for the other end's firewall (a 486=
to compile the patched kernel. I basically followed the example in the
Shorewall doc:


and the referenced IPSEC info at:


I used

kernel: 2.4.17
freeswan: 1.94
shorewall: 1.2.0

My shorewall config was taken directly from Tom's example at the URL abov=
Some random points though:

 - I seem to recall earlier versions of the IPSEC.htm document had a typo=
address in them.
 - I had commented out the Gateway zone in my /etc/shorewall/zones since =
wasn't previously using it. Things worked a lot better when I put it back
in. ;)
 - To avoid changing/testing two things at once, I temporarily changed bo=
ends Shorewall policy to "all   all   ACCEPT" just to make certain Shorew=
wouldn't get in the way. After I knew the IPSEC tunnel was working, I
changed the policy back to something sane.
 - Don't forget that in your Policy and Rules you now have a new zone 'gw=
to consider.

My IPSEC config was only slightly altered from the example at the URL abo=

 - I left 'interfaces=3D%defaultroute' so I could use the same file on bo=
 - When the Freeswan installation created the RSA key pairs for me, the
public key was NOT in hex. Therefore, I dropped the leading '0x' shown in
the jixen.tripod.com example.
 - [left|right]nexthop is the respective machine's default gateway. Frees=
needs this to set up routing correctly

I hope this helps,


Shorewall-users mailing list