Re: [Shorewall-users] ipsec l2tp server behind shorewall

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Please don't post in HTML -- gross waste of bandwidth.

Rob Mokkink wrote:

> I have an openswan server with the l2tpd daemon running in my testlab.
>=20
> =20
>=20
> If I am on the intranet (local) network I can connect to the server wit=
h
> my windows xp box with no probs, when I want to connect through
> shorewall it give me problems.
>=20
> I have worked a lot with ms ipsec/l2tp and applied the registry key/hac=
k
> to support ipsec/l2tp connections over nat.
>=20
> =20
>=20
> I have looked at all vpn documents and sites on the internet but I can=92=
t
> figure out what rules etc. I need.
>=20
> =20
>=20
> This is what I have so far: (as you can see I use private ip addresses
> in my testlab, 192.168.0.0 I used for internet simulation)
>=20
>=20
> I tried the vpn doc for tunnel settings etc. add vpn zone to policy etc=
,
> but it doesn=92t work.

Hardly surprising since the "VPN doc" deals only with the case where the
firewall itself is the VPN end-point whereas your VPN server is *behind* =
the
firewall.

Here is what I suggest you do.

a) "shorewall clear"
b) Add a second IP address on the firewall's external interface -- call t=
he
address $IP and the interface $IF (ip addr add $IP/24 brd 192.168.0.255 d=
ev $IF)
e) Be sure that the default route on the server (whose IP address is assu=
med
to be 10.0.0.1 from your post) goes through the IP address of the firewal=
l's
internal interface (it better be doing that already).
d) On the firewall, run these two commands

iptables -A PREROUTING -t nat -i $IF -d $IP -j DNAT --to-dest 10.0.0.1

iptables -A POSTROUTING -t nat -o $IF -s 10.0.0.1 -j SNAT --to-source $IP=

That has established:

a) A wide open firewall (no filtering)
b) one-to-one NAT between $IP and 10.0.0.1

Now try establishing a VPN connection from an "external" client to $IP. I=
f
that doesn't work then you have problems not related to Shorewall. If tha=
t
does work then use a packet sniffer like Ethereal or tcpdump to see exact=
ly
what traffic is exchanged between the hosts during connection.

I have an IPSEC/L2TP client that connects to a remote server through NAT =
but
I don't have a server here locally so I can't reproduce your scenario
exactly. My own tests show though that all the traffic is UDP to ports 50=
0
and 4500 so at most four Shorewall rules should be required (two if the
loc->net policy is ACCEPT).

DNAT	net		loc:10.0.0.1	udp	500
DNAT	net		loc:10.0.0.1	udp	4500
ACCEPT	loc:10.0.0.1	net		udp	500
ACCEPT	loc:10.0.0.1	net		udp	4500

If you have those rules in place and things still don't work then you are=

going to have to follow Jerry's advise and send us config and status
information because the problem isn't with the rules but somewhere else i=
n
your configuration.

-Tom
--=20
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ te...@sh...
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key