Actually I found a better solution, making it to work like in Zentyal 2.0...
You have to ssh to the server, then:
sudo su
nano /etc/zentyal/firewall.conf
Look for the last lines and uncomment it:
# Uncomment the following to show the from External to Internal section
show_ext_to_int_rules = yes
# Uncomment the following to show the Rules added by Zentyal services
show_service_rules = yes
Now in the firewall module you would find two new sections (you may be need to reboot your server):
- From external to internal networks
- Zentyal services
In the External to Internal networks you can create rules to allow traffic between IPsec subnets:
Just create a new Network Object for your subnets:
And then create a new rule in External to Internal Networks allowing traffic from subnets to subnets:
You will note that now you can access hosts in the subnets but you can not access the servers through its private IPs:
- Server A can not access hosts in subnet B
- Server B can not access hosts in subnet A
- Server A can not access services in Server B through B's private ip
- Server B can not access services in Server A through A's private ip
To solve this you have to edit /etc/ipsec.conf and add the proper
leftsourceip and
rightsourceip parameters in each connection:
# VPN: l222 (ipsec): 11.11.11.11 <=> 10.10.10.10
conn l222
left=11.11.11.11
right=10.10.10.10
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.10.0/24
rightsourceip=192.168.10.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret
auto=start
# VPN: hayuelo (ipsec): 11.11.11.11 <=> 9.9.9.9
conn hayuelo
left=11.11.11.11
right=9.9.9.9
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.9.0/24
rightsourceip=192.198.9.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret
auto=start
After this you need to restart the ipsec service:
service ipsec restart
Unfortunately this changes are lost when you reboot the server or add a new IPsec connection... Right now my solution is to have a copy of the ipsec.conf file and restore it after each reboot...
After adjust ipsec.conf:
cp /etc/ipsec.conf /root/ipsec.conf
nano /etc/zentyal/hooks/ipsec.postservice
And put inside:
#!/bin/sh
service ipsec stop
cp /root/ipsec.conf /etc/ipsec.conf
service ipsec start
exit 0
Then set the correct mod:
chmod --reference=/etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/ipsec.postsetconf
Off course you have to adjust your backup file (/root/ipsec.conf) after each config change you made through the web interface.
This bug was reported here:
https://tracker.zentyal.org/issues/48 and it persist in Zentyal 3.4
Sources:
http://serverfault.com/questions/503864/openswan-tunnel-up-but-works-only-in-one-directionhttps://wiki.debian.org/HowTo/openswanhttps://lists.openswan.org/pipermail/users/2005-December/007589.html