Menu
▾
▴
[Shorewall-users] IPSEC & masq
|
From: Raimonds C. <ra...@ap...> - 2015-02-13 20:37:00
|
Hello. I have following Shorewall (4.5.21.10) configuration (simplified) --- Zone file --- zlan ipv4 zdmz ipv4 zinet ipv4 zvpn ipv4 --- Interfaces file --- zlan lan zdmz dmz zinet inet --- Hosts file --- zvpn inet:remote_internal_lan,remote_external_ip ipsec --- Masq file --- inet dmz inet lan --- Policy file --- $FW all ACCEPT zlan zinet ACCEPT zlan zdmz ACCEPT zlan zvpn ACCEPT zinet all DROP info all all REJECT info --- Tunnels file --- ipsec zinet remote_external_ip --------------------- Everything is working fine, but I need to add access from zdmz zone to zvpn. In FreeSwan configuration only zlan have access to zvpn, so it looks I need some kind of masquerading. Is this theoretically possible? I tried following: 1. step add to beginning of Policy file: zdmz zvpn ACCEPT 2. step add to beginning of Masq file inet:remote_internal_lan dmz ip_of_lan_interface But when I try to ping zvpn hosts from zdmz I get: Shorewall:zdmz2zinet:REJECT:IN=dmz OUT=inet ... SRC=some_zdmz_ip DST=some_zvpn_ip Honestly speaking in second step I tried almost all possible combinations of IP/net addresses and when I ping I always get same error. What I am doing wrong? Thank you for any help in advance. Raimonds Cicans |
