[Shorewall-users] IPSec question

Tom Eastep teastep at shorewall.net
Mon, 23 Sep 2002 08:00:07 -0700

Christian Lox wrote:
> Hi!
> I am using shorewall since quit a time and its a real great tool.
> We did use also Ipsec tunnels and now our gateway has moved from the
> shorewall machien itself to a dedicated Ipsec Gateway machine which
> runs in the dmz.
> But now the tunnels do not come up, since I cannot figure how to
> configure shorewall.
> It drops like this:
>  Shorewall:net2all:DROP:IN=eth2 OUT=eth1 SRC=xxx.xxx.xx.x
> DST=xx.x.xx.xx LEN=204 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP
> SPT=500 DPT=500 LEN=184

As stated in several places in the Shorewall documentation, for IPSEC you 
must allow UDP port 500 and protocol 50 (and protocol 51 if you aren't 
using any form of NAT) between the VPN gateways. You don't say how you 
manage your DMZ (Proxy ARP, NAT, Masquerade, Routed) so I can't give you 
the exact rules but you might find http://www.shorewall.net/VPN.htm helpful.

Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net