[plug] IPSec with Shorewall

[Steve Baker]

Hi PLUG,

I have a server with Ubuntu 8.04 and the ipsec and shorewall packages 
installed from the standard distro packages.  I have created an IPSec 
tunnel which is working, from a workstation on my LAN I can access 
computers on the remote network over the tunnel.

I have a problem in that traffic originated from the gateway at my end 
does not go through the tunnel.  Observe:

root at eclipse:~# ping 192.168.100.9
PING 192.168.100.9 (192.168.100.9) 56(84) bytes of data.
 From 192.168.35.1 icmp_seq=1 Destination Host Unreachable
 From 192.168.35.1 icmp_seq=2 Destination Host Unreachable

--- 192.168.100.9 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1008ms
, pipe 2

The address 192.168.35.1 is the IP address of my external interface 
(it's NATd at the nexthop router).  However when I force ping to 
originate from the INTERNAL interface on the gatway machine, it works:

root at eclipse:~# ping -I 192.168.37.254 192.168.100.9
PING 192.168.100.9 (192.168.100.9) from 192.168.37.254 : 56(84) bytes of 
data.
64 bytes from 192.168.100.9: icmp_seq=1 ttl=127 time=167 ms
64 bytes from 192.168.100.9: icmp_seq=2 ttl=127 time=221 ms

--- 192.168.100.9 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 167.026/194.508/221.990/27.482 ms

So: is there some magic setting in the Shorewall configuration files 
that will get this last part working?  I've put what I think are the 
correct entries into the shorewall zones, interfaces, masq and tunnels 
files (I can post them if you want them) and it is basically working for 
other traffic going through the tunnel.  This is really annoying as I 
need the gateway to forward DNS queries to the remote network which it 
is unable to do at the moment.

Regards,
Steve