[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access

cmisip cmisip at insightbb.com
Fri Aug 1 01:54:23 PDT 2003


Hi I have a local lan 192.168.1.0/24 and a linux ip masq router (via
shorewall - lets call Arouter).  I have clients connect to this via eth1
(eth0 is connected to the cable modem).  Everything is working fine (all
clients (machine blaptop,cdesktop,ddesktop)  can see each other and the
router and all happily connect to the internet).  I have the default
route on blaptop, cdesktop, ddesktop pointed to Arouter.  
To protect wireless 802.11b on blaptop, I create an ipsec tunnel between
it and cdesktop, ddesktop, Arouter.  
Now cdesktop, and ddesktop and Arouter have IP forwarding turned on.
When I bring up a tunnel between blaptop and ddesktop, the routing table
on blaptop gets changed so now the default route points to ddesktop via
ipsec0.  This is ok since I have IP forwarding turned on in ddesktop
hence packets for the internet get forwarded to the Arouter by ddesktop.
Things are good.  The same goes on If I turn on the ipsec tunnel to
cdesktop.  
Now If I turn on the ipsec tunnel to Arouter, I can connect to Arouter
and ping the hell out of it and I get ESP encryption on pings and
replies.  So the ipsec tunnel to Arouter must be working.  The routing
table now has Arouter as defaultroute via ipsec0 for the laptop.
However, I cannot access the internet now from blaptop.  What am I doing
wrong?  Somehow, I need to tell Arouter to decrypt these ipsec packets
and masq them and send them to the internet like it is doing for eth1
subnet.

My ethernet devices:
eth0 - dhcp via cable modem
eth1 - 192.168.1.1
eth2 - 192.168.2.1


my files:
policy
loc net ACCEPT
net all DROP
all all REJECT
fw  net ACCEPT
loc fw  ACCEPT
fw  loc ACCEPT
fw  vpn ACCEPT
vpn fw  ACCEPT
vpn net ACCEPT

zones:
net   Net
loc   Local
dmz   DMZ
vpn   VPN

interfaces:
net    eth0   detect
loc    eth1   192.168.1.255
dmz    eth2   192.168.2.255
vpn    ipsec0

tunnels:
ipsec     loc   192.168.1.100   vpn

masq :
eth0   eth1
eth0   192.168.1.100/32

My Frees/wan ipsec is configured to be host to host (no subnets or
nexthops as all machines exist in the same network and can see each
other).  I have in ipsec.conf the option for forwardcontrol=yes as well
as interfaces="ipsec0=eth1"

Any help would be appreciated.  Thanks



More information about the Shorewall-users mailing list