[Shorewall-users] New style ipsec tunnels in Linux 2.6
David T Hollis
dhollis at davehollis.com
Fri Dec 12 07:25:02 PST 2003
On Thu, 2003-12-11 at 22:51, Fraser Campbell wrote:
> On December 11, 2003 10:12 pm, Tom Eastep wrote:
> > a) Those who choose to lead the way should lead -- you are running a 2.6
> > kernel so you should be telling the rest of us about problem *solutions*.
> > b) We've visited this problem already in the last couple of weeks --
> > please check the archives.
> Thanks, htdig wasn't finding 2.6 in my archive searches for some reason,
> manually scanning the archives found the relevant thread for me. I've changed
> the zone ordering for now and that has solved the issue. I'll see if I can
> come up with a more elegant solution.
Here's what I did on one side to enable 2.6 IPSEC to operate correctly
(eth0 is external, eth1 is internal intf):
- eth0 detect dhcp,blacklist
loc eth1 detect dhcp
vpn loc ACCEPT
loc vpn ACCEPT
ipsec net <rem gw ip> vpn
When I was experimenting with it, the biggest trick seemed to be the
hosts entries and the negated masq line so that packets weren't natted
across the vpn.
More information about the Shorewall-users