vpnc and shorewall

I wanted to configure my home Linux box with vpnc.  I had done this before, but I’ve lost track of the documentation I made at the time.

First, I ran pcf2vpnc on the .pcf configuration file — what an easy way to get the .conf file needed by vpnc!

Then I tried running vpnc.  From the messages it gave, it looked like I was successfully connected… but I couldn’t ping any servers… hmm.


After a few minutes, it began to dawn on me that I had experienced a very similar issue before, and that time it wasn’t the vpnc configuration.  It was the firewall that was rejecting all traffic from the vpn.

I stopped shorewall and sure enough, I was able to get into the network and ping things.



  1. Added this line to /etc/shorewall/zones:
    vpnc  ipv4
  2. Added this line to /etc/shorewall/interfaces:
    vpnc  tun0  detect
  3. Added this line to /etc/shorewall/tunnels, replacing xx.xx.xx.xx with the IP address of my  router:
    generic:udp:500    net  xx.xx.xx.xx
  4. Finally, I believe I added this fw vpnc ACCEPT line to /etc/shorewall/policy:
    fw      vpnc    ACCEPT
    net     all     DROP    info
    all     all     REJECT  info

    (I believe this line needs to be above the more general net-all-DROP and all-all-REJECT lines, as shown.)

I then restarted shorewall and I was off and running.

Basically I guess we’re telling shorewall to allow all traffic from the firewall to the vpn interface, where by default it would deny such traffic otherwise.  I need to get a deeper understanding of what’s going on here, though.

Thanks to Gary Court and Tobias Weisserth, whose posts were helpful!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.