[Shorewall-users] Fw: IPSEC tunnel hub

Jorge Molina jmolina at it-solutions.com.ar
Mon Jun 16 06:36:38 PDT 2003


Hi Tom. Sorry to bother you again with this but I don't want to let this 
ipsec thing die here... I already read the new ipsec configuration with a 
tunnel hub and that is what I want to do.

Forget the last message, I sent it by mistake.

Ok, my final score is to do a complete tunnel hub between 3 networks, but 
for now, it is ok with only 2. My setup:

Host A: Central gateway
NET: eth0:200.x.x.1
LOC: dummy0:192.168.200.1/16

Host B:
NET: eth1:24.x.x.1
LOC: eth0:192.168.7.0/24

Host C:
NET: eth1:24.x.x.2
LOC: eth0:192.168.9.0/24

Before start dumping my configuration files, I must say that the ipsec is 
working just fine and I can ping from a computer *inside* the host B to 
the ip address at dummy0 for the host A.

HOST A:
params:
LOC_IF=dummy0
NET_IF=eth0
NET_OPTIONS=blacklist,tcpflags,routefilter,norfc1918,dropunclean
VPN_IF=ipsec0

zones:
loc     Local   Local
net     Net     Internet 
vpn1    VPN1    Remote host 1

interfaces:
loc     $LOC_IF
net     $NET_IF -       $NET_OPTIONS
-       $VPN_IF

tunnels:
ipsec   net     24.x.x.1

hosts:
vpn1    ipsec0:192.168.7.0/24

policy:
vpn1    loc     ACCEPT
loc     vpn1    ACCEPT
net     all     DROP            INFO
all     all     REJECT  INFO

HOST B:
params:
LOC_IF=eth0
LOC_BCAST=192.168.7.255
LOC_NET=192.168.7.0/24
LOC_OPTIONS=dhcp
NET_IF=eth1
NET_OPTIONS=dhcp,routefilter,norfc1918,blacklist,tcpflags,dropunclean
VPN_IF=ipsec0

interfaces:
net     $NET_IF -               $NET_OPTIONS
loc     $LOC_IF $LOC_BCAST      $LOC_OPTIONS
vpn     $VPN_IF

tunnels
ipsec   net     200.x.x.1

hosts:
empty

policy:
loc     net     ACCEPT
fw      loc     ACCEPT
fw      net     ACCEPT
loc     vpn     ACCEPT
vpn     loc     ACCEPT
net     all     DROP            INFO
all     all     REJECT  INFO

HOST C:
Same configuration as host B.

Now... with shorewall started I tried to ping to the internal IP at host A 
from a computer inside the host B. I got a 
Reply from 192.168.200.1: Destination host unreachable.
at the shorewall log at host B I have nothing but at the log from host A, 
the one who has the destination IP I got a

Jun 16 05:20:33 wintermute kernel: Shorewall:all2all:REJECT:IN=ipsec0 OUT= 
MAC=00:06:29:39:05:7d:00
:d0:d3:3e:56:b8:08:00 SRC=192.168.7.29 DST=192.168.200.1 LEN=60 TOS=0x00 
PREC=0x00 TTL=127 ID=55407
 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=45568 

Any ideas?

-- EOM

Saludos/Regards,
Jorge Molina.
Buenos Aires - Argentina (GMT-3).


More information about the Shorewall-users mailing list