From: Tom E. <te...@sh...> - 2005-07-28 14:24:53
|
Please don't post in HTML -- gross waste of bandwidth. Rob Mokkink wrote: > I have an openswan server with the l2tpd daemon running in my testlab. >=20 > =20 >=20 > If I am on the intranet (local) network I can connect to the server wit= h > my windows xp box with no probs, when I want to connect through > shorewall it give me problems. >=20 > I have worked a lot with ms ipsec/l2tp and applied the registry key/hac= k > to support ipsec/l2tp connections over nat. >=20 > =20 >=20 > I have looked at all vpn documents and sites on the internet but I can=92= t > figure out what rules etc. I need. >=20 > =20 >=20 > This is what I have so far: (as you can see I use private ip addresses > in my testlab, 192.168.0.0 I used for internet simulation) >=20 >=20 > I tried the vpn doc for tunnel settings etc. add vpn zone to policy etc= , > but it doesn=92t work. Hardly surprising since the "VPN doc" deals only with the case where the firewall itself is the VPN end-point whereas your VPN server is *behind* = the firewall. Here is what I suggest you do. a) "shorewall clear" b) Add a second IP address on the firewall's external interface -- call t= he address $IP and the interface $IF (ip addr add $IP/24 brd 192.168.0.255 d= ev $IF) e) Be sure that the default route on the server (whose IP address is assu= med to be 10.0.0.1 from your post) goes through the IP address of the firewal= l's internal interface (it better be doing that already). d) On the firewall, run these two commands iptables -A PREROUTING -t nat -i $IF -d $IP -j DNAT --to-dest 10.0.0.1 iptables -A POSTROUTING -t nat -o $IF -s 10.0.0.1 -j SNAT --to-source $IP= That has established: a) A wide open firewall (no filtering) b) one-to-one NAT between $IP and 10.0.0.1 Now try establishing a VPN connection from an "external" client to $IP. I= f that doesn't work then you have problems not related to Shorewall. If tha= t does work then use a packet sniffer like Ethereal or tcpdump to see exact= ly what traffic is exchanged between the hosts during connection. I have an IPSEC/L2TP client that connects to a remote server through NAT = but I don't have a server here locally so I can't reproduce your scenario exactly. My own tests show though that all the traffic is UDP to ports 50= 0 and 4500 so at most four Shorewall rules should be required (two if the loc->net policy is ACCEPT). DNAT net loc:10.0.0.1 udp 500 DNAT net loc:10.0.0.1 udp 4500 ACCEPT loc:10.0.0.1 net udp 500 ACCEPT loc:10.0.0.1 net udp 4500 If you have those rules in place and things still don't work then you are= going to have to follow Jerry's advise and send us config and status information because the problem isn't with the rules but somewhere else i= n your configuration. -Tom --=20 Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ te...@sh... PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key |