[Firehol-support] OpenSwan and firehol

Munroe Sollog sollog at digiraticonsulting.com
Tue Mar 10 01:30:26 GMT 2009 

I am trying to configure a network to network VPN using OpenSwan.  High
level what I *think* I have to do is
1)Allow ESP traffic through
2)not MASQ traffic bound for the remote network

I am at a loss for how to do these things in firehol.  Any help would be
appreciated.  Thank you.

Network 1
----------------
subnet: 192.168.7.0/24
gateway: debian lenny +firehol
firehol conf:

 cat /etc/firehol/firehol.conf
version 5

if_lan="eth1"
if_internet="eth0"


FIREHOL_LOG_MODE="ULOG"
FIREHOL_LOG_LEVEL=6

# Port forwarding
dnat to 192.168.7.101:22 inface ${if_internet} proto tcp dport 2222
dnat to 192.168.7.141:80 inface ${if_internet} proto tcp dport 8080
dnat to 192.168.7.149:80 inface ${if_internet} proto tcp dport 1231
dnat to 192.168.7.149:22 inface ${if_internet} proto tcp dport 1321
dnat to 192.168.7.1:80 inface ${if_internet} proto tcp dport 81

interface ${if_internet} internet
    policy reject
    protection full
    server ping accept
    server ssh accept
    server openvpn accept
    client all accept
    server http accept
    server ping reject

interface ${if_lan} lan
    server all accept
    client all accept

router outbound inface ${if_lan} outface ${if_internet}
    protection full
    masquerade
    server all accept

router services inface ${if_internet} outface ${if_lan}
    protection full
    server all accept
    client all accept


NETWORK 2:
---------------------------
subnet: 192.168.26.0/24
gateway: debian etch +firehol
firehol conf:

if_lan="eth0"
if_wan="eth1"

FIREHOL_LOG_MODE="ULOG"

dnat to 192.168.26.16:22 inface ${if_wan} proto tcp dport 2222
dnat to 192.168.26.2:80 inface ${if_wan} proto tcp dport 81
dnat to 192.168.26.136:8080 inface ${if_wan} proto tcp dport 8080
dnat to 192.168.26.2:443 inface ${if_wan} proto tcp dport 443

interface ${if_wan} world
        policy reject
        protection full
        server ping accept
        server ssh accept
    server openvpn accept
        client all accept

interface ${if_lan} lan
        policy reject
        protection full
        server all accept
        client all accept

router masq inface ${if_lan} outface ${if_wan}
        protection full
        masquerade
        server all accept

router services inface ${if_wan} outface ${if_lan}
        protection full
        server all accept
        client all accept




-- 
Munroe Sollog
Systems Engineer
Digirati Consulting, Inc
sollog at digiraticonsulting.com

More information about the Firehol-support mailing list