[Shorewall-users] another ipsec(frees/wan) and shorewall question: host to host(router)vpn and internet access

cmisip cmisip at insightbb.com
Fri Aug 1 01:54:23 PDT 2003

Hi I have a local lan and a linux ip masq router (via
shorewall - lets call Arouter).  I have clients connect to this via eth1
(eth0 is connected to the cable modem).  Everything is working fine (all
clients (machine blaptop,cdesktop,ddesktop)  can see each other and the
router and all happily connect to the internet).  I have the default
route on blaptop, cdesktop, ddesktop pointed to Arouter.  
To protect wireless 802.11b on blaptop, I create an ipsec tunnel between
it and cdesktop, ddesktop, Arouter.  
Now cdesktop, and ddesktop and Arouter have IP forwarding turned on.
When I bring up a tunnel between blaptop and ddesktop, the routing table
on blaptop gets changed so now the default route points to ddesktop via
ipsec0.  This is ok since I have IP forwarding turned on in ddesktop
hence packets for the internet get forwarded to the Arouter by ddesktop.
Things are good.  The same goes on If I turn on the ipsec tunnel to
Now If I turn on the ipsec tunnel to Arouter, I can connect to Arouter
and ping the hell out of it and I get ESP encryption on pings and
replies.  So the ipsec tunnel to Arouter must be working.  The routing
table now has Arouter as defaultroute via ipsec0 for the laptop.
However, I cannot access the internet now from blaptop.  What am I doing
wrong?  Somehow, I need to tell Arouter to decrypt these ipsec packets
and masq them and send them to the internet like it is doing for eth1

My ethernet devices:
eth0 - dhcp via cable modem
eth1 -
eth2 -

my files:
loc net ACCEPT
net all DROP
all all REJECT
fw  net ACCEPT
loc fw  ACCEPT
fw  loc ACCEPT
fw  vpn ACCEPT
vpn fw  ACCEPT
vpn net ACCEPT

net   Net
loc   Local
dmz   DMZ
vpn   VPN

net    eth0   detect
loc    eth1
dmz    eth2
vpn    ipsec0

ipsec     loc   vpn

masq :
eth0   eth1

My Frees/wan ipsec is configured to be host to host (no subnets or
nexthops as all machines exist in the same network and can see each
other).  I have in ipsec.conf the option for forwardcontrol=yes as well
as interfaces="ipsec0=eth1"

Any help would be appreciated.  Thanks

More information about the Shorewall-users mailing list