[Shorewall-users] New style ipsec tunnels in Linux 2.6

David T Hollis dhollis at davehollis.com
Fri Dec 12 07:25:02 PST 2003


On Thu, 2003-12-11 at 22:51, Fraser Campbell wrote:
> On December 11, 2003 10:12 pm, Tom Eastep wrote:
> 
> > a) Those who choose to lead the way should lead -- you are running a 2.6
> > kernel so you should be telling the rest of us about problem *solutions*.
> > 
> > b) We've visited this problem already in the last couple of weeks --
> > please check the archives.
> 
> Thanks, htdig wasn't finding 2.6 in my archive searches for some reason, 
> manually scanning the archives found the relevant thread for me. I've changed 
> the zone ordering for now and that has solved the issue.  I'll see if I can 
> come up with a more elegant solution.

Here's what I did on one side to enable 2.6 IPSEC to operate correctly
(eth0 is external, eth1 is internal intf):

interfaces:
-	eth0	detect	dhcp,blacklist
loc	eth1	detect	dhcp

hosts:
vpn	eth0:172.16.100.0/24
net	eth0:0.0.0.0/0

masq:
eth0:!172.16.100.0/24	192.168.1.0/24


policy:
vpn	loc	ACCEPT
loc	vpn	ACCEPT


tunnels:
ipsec	net	<rem gw ip>	vpn


When I was experimenting with it, the biggest trick seemed to be the
hosts entries and the negated masq line so that packets weren't natted
across the vpn.



More information about the Shorewall-users mailing list