[TriLUG] Tunneling IPSec via debian stable with shorewall/iptables
T. Bryan
tbryan at python.net
Sat Feb 26 10:14:03 EST 2005
Thanks to everyone's help, I recently set up a debian stable box to a firewall
for my home network and to do masquerading.
___ lnx1
/
Internet ---- Debian box ---+--- lnx2
\___ lnx3
My company just gave me access to our VPN via Cisco's vpnclient. In the above
diagram, I am connecting from the box named lnx1. Now, I can connect to the
VPN successfully. I see that my /etc/resolv.conf on lnx1 is changed after
connection. The problem is that lnx1 can't resolve any of the names on the
corporate network. It can ping the DNS server listed in /etc/resolv.conf,
but I can't seem to resolve any names. I shut off iptables on lnx1 and tried
dig, even specifying the nameservers in /etc/resolv.conf explicitly. I'm not
sure whether I've configured iptables correctly on the Debian box to handle
the IPSec connection.
The VPN client says
NAT passthrough is active on port UDP 10000
Local LAN Access is disabled
I am running Shorewall on the Debian box, and I have the following rules there
ACCEPT net $FW udp 10000
ACCEPT net loc udp 10000
ACCEPT loc $FW udp 10000
ACCEPT loc net udp 10000
where loc is the local network, $FW refers to the debian box itself, and net
is the external network.
Perhaps I need to look at the /etc/shorewall/tunnels, but I thought that it
wouldn't be necessary when the VPN is doing NAT passthrough with UDP on port
10000.
Has anyone got this type of thing working? I'm sure that it's a common
configuration, but I'm hoping to avoid spending all morning pouring through
log files on multiple machines trying to figure out what's going on.
Thanks,
---Tom
More information about the TriLUG
mailing list