[Firehol-support] OpenSwan and firehol

Munroe Sollog sollog at digiraticonsulting.com
Thu Mar 12 22:43:27 CET 2009


I need:

iptables -t nat -I POSTROUTING -s localnet/mask -d remotenet/mask -j RETURN
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50  -j ACCEPT

Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sollog at digiraticonsulting.com




Costa Tsaousis wrote:
> Munroe Sollog wrote:
>> I am trying to configure a network to network VPN using OpenSwan.  High
>> level what I *think* I have to do is
>> 1)Allow ESP traffic through
>> 2)not MASQ traffic bound for the remote network
>>   
> Hi,
>
> Well I don't know either. You have two options:
>
> 1. Find some documentation on how this should be done with iptables.
> Post it here, and I'll try to help you configuring firehol.
>
> or
>
> 2. Do it step by step:
>
> a. Make sure your VPN works without any firewall active, or with a
> trust relationship between the two hosts of the VPN.
> b. Start your firewalls (without adding anything for the VPN).
> c. Attempt to connect your VPN. Most probably it will fail, but you
> will have logs for the packets that failed to go through.
> d. Based on the packets dropped, create services to allow these
> packets to flow.
> e. Repeat (b), (c) and (d) until no packet related to your VPN is
> dropped.
> f. Once done, please post here your findings so that I can add the
> services to firehol and update its documentation for the rest of the
> users.
>
>
>




More information about the Firehol-support mailing list