[prev in list] [next in list] [prev in thread] [next in thread]
List: leaf-user
Subject: [leaf-user] IPSEC NAT traversal with shorewall HELP!
From: Troy Aden <Troy.Aden () VCom ! com>
Date: 2003-11-26 2:47:46
[Download RAW message or body]
Hello all,
I have posted earlier regarding setting up an IPSEC gateway with Bering
UCLIBC 2.0.
I am happy to report that I have successfully setup an IPSEC tunnel between
two routers (External interface only).
The next step is to setup IPSEC so that I can communicate from router A's
internal subnet to Router B's internal subnet.
ROUTER A Eth0 = 24.78.140.* --> Eth1 = 172.16.0.0/16
I want 172.16.0.0/16 network to be able to communicate with 192.168.1.0/24
network.
ROUTER B Eth0 = 139.142.224.* --> Eth1 = 192.168.1.0/24
Can anyone please tell me exactly what I need to do to get this working? I
will include all the relevant configs below. I realize that I may have
things way to open security wise so if anyone has any pointers on how I
should go about hardening this configuration please feel free to tell me.
For example, what exactly do I need to have in my shorewall/rules and
/policy files to allow IPSEC? (I suspect that my shorewall config is full of
unnecessary rules and policies.)
My goal with this configuration is to have two networks linked via IPSEC. I
would expect that all users from site A will be able to communicate with all
users on site B "transparently" meaning that for all intents and purposes
users on site A's internal network would be able to communicate with users
from site B's internal network as if they were on the same LAN. If I am off
base in how this works, please feel free to correct me.
Here is my working config: (I apologize in advance since there is a fair
amount here.)
Also, for the sake of saving space, I am only posting one half of the
connection in this post. The other half simply has the other routers
external IP entered in the /etc/shorewall/tunnels file and the IPs are
switched around in the /etc/ipsec.secrets file. I have also put in a bogus
secrets password to save space. :-))
Thanks in advance!
To start the tunnel
ipsec whack --initiate --name Victoria
To stop the tunnel
ipsec whack --terminate --name Victoria
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>working configs for router -router
IPSEC>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
SITE A SIDE
#
# Shorewall 1.4 /etc/shorewall/zones
#
# This file determines your network zones. Columns are:
#
# ZONE Short name of the zone (5 Characters or less in
length).
# DISPLAY Display name of the zone
# COMMENTS Comments about the zone
#
#ZONE DISPLAY COMMENTS
net Net Internet
loc Local Local networks
vpn VPN Remote Networks
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
/etc/shorewall/interfaces
############################################################################
##
#ZONE INTERFACE BROADCAST OPTIONS
net eth0 detect routefilter,norfc1918,tcpflags
loc eth1 detect
vpn ipsec0
/etc/shorewall/policy
############################################################################
###
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
loc vpn ACCEPT
vpn loc ACCEPT
vpn fw ACCEPT
net vpn ACCEPT
vpn net ACCEPT
fw vpn ACCEPT
loc net ACCEPT
net loc REJECT ULOG
# If you want open access to the Internet from your Firewall
# remove the comment from the following line.
#fw net ACCEPT
net all DROP ULOG
all all REJECT ULOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
#IPSEC RULES
ACCEPT net fw udp 500
ACCEPT fw net udp 500
ACCEPT vpn fw udp 500
ACCEPT fw vpn udp 500
ACCEPT vpn loc udp 500
ACCEPT loc vpn udp 500
ACCEPT vpn net udp 500
ACCEPT net vpn udp 500
ACCEPT net fw esp -
ACCEPT fw net esp -
ACCEPT vpn fw esp -
ACCEPT fw vpn esp -
ACCEPT vpn loc esp -
ACCEPT loc vpn esp -
ACCEPT vpn net esp -
ACCEPT net vpn esp -
ACCEPT net fw ah -
ACCEPT fw net ah -
ACCEPT vpn fw ah -
ACCEPT fw vpn ah -
ACCEPT vpn loc ah -
ACCEPT loc vpn ah -
ACCEPT vpn net ah -
ACCEPT net vpn ah -
# Accept DNS connections from the firewall to the network
#
ACCEPT fw net udp 53
ACCEPT net fw udp 53
#
#
# Allow Ping To And From Firewall
#
ACCEPT loc fw icmp 8
ACCEPT net fw icmp 8
ACCEPT fw loc icmp 8
ACCEPT fw net icmp 8
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/tunnels
#
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
ipsec net 24.78.140.*
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
/etc/shorewall/init
############################################################################
# Shorewall 1.4 -- /etc/shorewall/init
#
# Add commands below that you want to be executed at the beginning of
# a "shorewall start" or "shorewall restart" command.
#
svi ipsec stop
/etc/shorewall/start
#
# dumping the rules for the weblet so it can run without root rights
#
chown sh-httpd.adm /var/sh-www/data
shorewall show >/var/sh-www/data/firewall
chown sh-httpd.adm /var/sh-www/data/firewall
shorewall show nat >/var/sh-www/data/masq
chown sh-httpd.adm /var/sh-www/data/masq
svi ipsec start
/etc/shorewall/stop
#
# delete the temporary firewall and natfiles for the
# weblet
#
echo "<H3><U>firewall is down</U></H3> " >/var/sh-www/data/firewall
shorewall show >>/var/sh-www/data/firewall
chown sh-httpd.adm /var/sh-www/data/firewall
echo "" > /var/sh-www/data/masq
chown sh-httpd.adm /var/sh-www/data/masq
svi ipsec stop
/etc/ipsec.conf
# basic configuration
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
# defaults for subsequent connection descriptions
conn %default
# How persistent to be in (re)keying negotiations (0 means very).
keyingtries=5
# RSA authentication with keys from DNS.
authby=secret
auto=start
conn block
auto=ignore
conn private
auto=ignore
conn private-or-clear
auto=ignore
conn clear
auto=ignore
conn packetdefault
auto=ignore
conn victoria
left=139.142.224.*
leftnexthop=139.142.224.1
right=24.78.140.*
authby=secret
auto=add
pfs=yes
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# RSA private key for this host, authenticating it to any other host
# which knows the public part. Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
#: RSA {
# # -- Create your own RSA key with "ipsec rsasigkey"
# }
139.142.224.* 24.78.140.* : PSK "testipsec"
Troy
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic