Re: [Shorewall-users] ipsec and shorewall

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi tom
It works.
I also mentionned the virtual interface eth0:7:193....

Thanks for your help.
Gilbert

Envoyé avec AquaMail pour Android
http://www.aqua-mail.com

Le 6 février 2015 18:08:57 Tom Eastep <te...@sh...> a écrit :

> On 2/4/2015 12:37 PM, Gilbert Robert wrote:
> > Hi,
> >
> > I would like to establish an IPSEC connection from one site to one site.
> > Site A is a Cisco ASA and site B is a Linux Debian Wheezy
> >
> > On site A we don't have any access, but on site B we can do what we want.
> > I installed Shorewall 4.5.5.3 and openswan 1:2.6.37-3+deb7u1
> >
> > I spent a lot of time trying to connect those 2 sites like this
> >
> > site B                                                                    
>        site A
> > [ 10.1.0.0 ] -----[ 10.1.0.1 / eth0 143.123.123.121/28 ] ..... [ 
> 190.120.87.165 ]---[193.198.43.0]
> >                                eth0 143.123.123.122
> >
> > This would be relatively simple if Site A did not want nat in the VPN. In 
> fact they want to see only one source address from the network B for example
> > the 143.123.123.122. They don't want to see rfc1918 addresses in subnet B.
> >
> > I read and reread the pages of shorewall but I'm a little bit confused now.
> > I can establish IPsec phase I but the second not. Ipsec therefore works 
> but it appears that phase II stuck.
> >
> > My part of config:
> >
> > interfaces
> > vpn	ppp0	-
> > net	eth0
> >
> > hosts
> > vpn	eth0:193.198.43.0/24   ipsec
> >
> > masq
> > eth0	10.1.0.0/24	143.123.123.122  -       -       -       
> mode=tunnel,tunnel-dst=193.198.43.0/24
>
> Because the IPSEC PD doesn't recognize 10.1.0.0/24 as the source for any
> IPSEC policy, I suspect that the rule never matches. You rather want:
>
> eth0:193.198.43.0 10.1.0.0/24   143.123.123.122
>
> >
> > tunnels
> > ipsec	net	  190.120.87.165/32       vpn
> >
> > Many thanks in advance for you help and lights ....
> >
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
>
> ----------
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
>
>
> ----------
> _______________________________________________
> Shorewall-users mailing list
> Sho...@li...
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>