[Shorewall-users] New style ipsec tunnels in Linux 2.6

Fraser Campbell fraser at wehave.net
Thu Dec 11 21:13:58 PST 2003


I am experimenting with the ipsec support built into the linux 2.6 kernel 
(using a backport of the 2.6 ipsec stack to 2.4.22).  The vpn side of things 
is working fine but I'm having some problems with shorewall since this ipsec 
implementation doesn't use a dedicated device for decrypted traffic (i.e. 
ipsec0 or tun0).

Here's a tcpdump showing traffic on my external interface (ppp0):

    tcpdump: listening on ppp0
    20:21:59.439357 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4b)
    20:21:59.439357 > icmp: echo request (DF)
    20:22:00.438199 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4c)
    20:22:00.438199 > icmp: echo request (DF)
    20:22:01.437490 remote_gw > shorewall_fw: ESP(spi=0x97fd6cc4,seq=0xe4d)
    20:22:01.437490 > icmp: echo request (DF)

The decrypted traffic is being denied since it's recognized as part of my net 
zone, instead of as part of my vpn zone:

    Dec 11 20:27:03 torridon kernel: Shorewall:net2all:DROP:IN=ppp0 OUT=eth0
        SRC= DST= LEN=84 TOS=0x00 PREC=0x00 TTL=62
        ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=5389 SEQ=2304

Here's how I've tried to set it up ...

  net     Net             Internet
  loc     Local           Local networks
  vpn     VPN             Office LAN

  -       ppp0
  loc     eth0            detect

  # This just doesn't feel right
  vpn             ppp0:
  net              ppp0:

  generic:esp             net     remote_gw # remote_gw is really IP address

Does anyone have any ideas?  I've looked at all of the tunnelling exampes that 
I can find in the docs but none of them seem to quite fit this situation.

I've manually "fixed" shorewall for now by adding the following rule to 

    run_iptables -I net2all 3 -i ppp0 -o eth0 -s \
        -d -j ACCEPT

If anyone thinks they can help me out with this I'd be happy to include more 
information on my config.  My apologies if I've missed an FAQ or something 
obvious in the docs.

Fraser Campbell <fraser at wehave.net>                 http://www.wehave.net/
Georgetown, Ontario, Canada                               Debian GNU/Linux

More information about the Shorewall-users mailing list