vpnc and shorewall

I wanted to configure my home Linux box with vpnc.  I had done this before, but I’ve lost track of the documentation I made at the time.

First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!

Then I tried running vpnc.  From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.

Diagnosing

After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration.  It was the firewall that was rejecting all traffic from the vpn.

I stopped shorewall and sure enough, I was able to get into the network and ping things.

Solving

I:

  1. Added this line to /etc/shorewall/zones:
    vpnc  ipv4
    
  2. Added this line to /etc/shorewall/interfaces:
    vpnc  tun0  detect
    
  3. Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my  router:
    generic:udp:500    net  xx.xx.xx.xx
    
  4. Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:
    fw      vpnc    ACCEPT
    net     all     DROP    info
    all     all     REJECT  info

    (I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)

I then restarted shorewall and I was off and running.

Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise.  I need to get a deeper understanding of what’s going on here, though.

Thanks to Gary Court and Tobias Weisserth, whose posts were helpful!

Advertisements

, , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s