vpnc and shorewall
Posted by danielmeyer on October 10, 2009
I wanted to configure my home Linux box with vpnc. I had done this before, but I’ve lost track of the documentation I made at the time.
First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!
Then I tried running vpnc. From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.
After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration. It was the firewall that was rejecting all traffic from the vpn.
I stopped shorewall and sure enough, I was able to get into the network and ping things.
- Added this line to /etc/shorewall/zones:
- Added this line to /etc/shorewall/interfaces:
vpnc tun0 detect
- Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my router:
generic:udp:500 net xx.xx.xx.xx
- Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:
fw vpnc ACCEPT net all DROP info all all REJECT info
(I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)
I then restarted shorewall and I was off and running.
Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise. I need to get a deeper understanding of what’s going on here, though.