[Shorewall-users] Cople of questions regarding VPN/IPSec

Alan Murrell silkbc at yahoo.com
Wed Dec 10 19:32:28 PST 2003


We have a VPN setup between two networks located in
different cities.  One side is a Customer's colocated
equipment (which we are managing) in Vancouver, Canada
and the other side is the Customer's office in
Victoria, Canada..

On our side (the colocated equipment), I am wanting to
run Shorewall, but have run into a couple of issues
related to the VPN failing when Shorewall is running. 
I have been playing with the config, and readng the
VPN docs on the site, but before trying to
re-implement, I had a question or two:

  1. Do both sides of the VPN have to be running
Shorewall?  I would think "no", but the VPN docs talk
about the Shorewall configuration on both sides of the
VPN.  Assuming the answer is "no", I will do another
post with my configuration information, so hopefully
someone will be able to point me int he direction of
what is wrong.

  2. This question has more to do with masquerading. 
The mechanics are not shorewall-related, but it's
really more of a question on how to convert the
IPTables rule into a Shorewall rule.

Essentially, they do not want VPN/ipsec traffic
destined for Victoria to be masqueraded, which
apparently it currently is.  They sent me the
following snippet from the Freeswan site:

--- CUT HERE ---
Do not MASQ or NAT packets to be tunneled 

If you are masquerading or NATting packets on either
gateway, you must now exempt the packets you wish to
tunnel from this treatment. If you have a rule like: 

iptables -A FORWARD -s -j

change it to something like: 

iptables -A FORWARD -s -d ! -j MASQ 

This may be necessary on both gateways. 

--- CUT HERE ---

If there is documentation on how to do this within
Shorewall, then I would appreciate it if you could
point me in that direction, or any other pointers.


Alan Murrell <silkbc at yahoo.com>

Post your free ad now! http://personals.yahoo.ca

More information about the Shorewall-users mailing list