Thank you so much for the reply. That most definitely clears up some
questions!! I think the reason that they use internal IPs is that the GRE data
is encapsulated in an IPSEC tunnel.
So I guess I could specify a virtual local and remote interfaces in
/etc/shorewall/tunnel like so:
This should work with the Cisco configuration, right? I'm still unsure about
whether to use 172.27.12.1 (the IP of internal network interfaces on my
firewall) or 10.15.25.225 (the IP the Cisco has configured as it's tunnel
destination) as the myip parameter, since after all the Cisco configuration
doesn't use my IP address.
Here is the configuration I have in Shorewall:
vpn mygre 255.255.255.255
vpn mygre:220.127.116.11 ipsec
# GRE Tunnel
gre vpn 18.104.22.168
# IPSEC Tunnel
ipsec vpn 22.214.171.124
Question: Would I need to specify the internal subnet of the Cisco router in
/etc/shorewall/hosts as well?
Also, having the gre and ipsec tunnels on the same gateway IP SHOULD cause the
GRE packets to be encrypted with IPSEC, right? Just to double check this....
Jesse L. Zamora
On Friday, March 25, 2011 10:49:04 Michael Weickel - iQom Business Services
> First of all its very confusing that your tunnel dst and src on cisco is a
> RFC1918 address. Those addresses are not routed within the bubble which is
> commonly known as public internet. Dont mix those addresses up with your
> subnets considered to be routed WITHIN the tunnel itself. Tunnel src and
> dst is just outside the tunnel to finally link two gre interfaces
> together, in your case loopback on cisco and ip on Shorewall. On Shorewall
> you dont have to put a loopback you can just put an interface native ip
> and this will be your tunnel end point on Shorewall.
> GRE on Shorewall is described here (it may help you as well)
> If your question points not to how to establish a loopback on Shorewall but
> hwo to tehh Shorewall that ciscos loopback should be used as the other
> endpoint of tunnel the answer is very simple. Just tell Shorewall the ip of
> the loopback as its tunnel destination and thats it. Shorewall ofc doesnt
> care whether its a virtual or physical ip on the other side, its just
> routing nothing else.
> I hope I was able to help a bit
> -----Ursprüngliche Nachricht-----
> Von: Jesse L. Zamora [mailto:xtremekforever@...]
> Gesendet: Freitag, 25. März 2011 13:34
> An: shorewall-users@...
> Betreff: [Shorewall-users] Interfacing with Cisco GRE & IPSEC
> We have been trying to configure a GRE/IPSEC tunnel between our Fedora 11
> firewall (with Shorewall 4.2 and ipsec-tools 0.7.2) and a Cisco firewall.
> Please note that the use of GRE is NOT optional in our case. I know some
> suggest to use some other type of VPN configuration, but we are interfacing
> with a Cisco firewall belonging to a coporation in Latin America, so we
> to use GRE with IPSEC.
> First, let me tell you a little about our network. Firstly, the internal
> subnet of our network is 172.27.12.0/24, and the internal subnet of the
> network (with the Cisco firewall) is 172.16.184.0/21.
> The most difficult thing I have to understand is the following. This is
> the Cisco FW:
> Interface loopbackX
> Ip address 10.216.91.168 255.255.255.255
> interface TunnelX
> description TUNEL-GRE
> ip address 172.16.184.1 255.255.248.0
> tunnel source LoopbackX
> tunnel destination 10.15.25.225
> My question is relatively simple: how to I configure the loopback address
> 10.15.25.225/32 into Shorewall in order to connect with this Cisco FW? IN
> order to be able configure Shorewall so that the tunnel source is
> 10.15.25.225/32 and the tunnel destination is 10.216.91.168/32?
> So here's the final question:
> *** How to do configure Shorewall to use looback addresses with GRE as in
> above Cisco configuration example? ***
> Thanks for any assistance you can provide!
> Many thanks,
> Jesse L. Zamora
> - --
> Enable your software for Intel(R) Active Management Technology to meet the
> growing manageability and security demands of your customers. Businesses
> are taking advantage of Intel(R) vPro (TM) technology - will your software
> be a part of the solution? Download the Intel(R) Manageability Checker
> today! http://p.sf.net/sfu/intel-dev2devmar
> Shorewall-users mailing list
> --- Enable your software for Intel(R) Active Management Technology to meet
> the growing manageability and security demands of your customers.
> Businesses are taking advantage of Intel(R) vPro (TM) technology - will
> your software be a part of the solution? Download the Intel(R)
> Manageability Checker today! http://p.sf.net/sfu/intel-dev2devmar
> Shorewall-users mailing list