VPN: ipsec Internet 10.10.10.0/24 +-----------------------|Shorewall Server|----|LAN| | | | | +---+ |ipsec | A | | | +---+ +---+ 192.168.105.212 | B |192.168.1.101 +---+ Clients A and B can both establish successful nat encapsulated ipsec sessions to the shorewall server. I can successfully receive and transmit between the shorewall server and client A as well as between the shorewall server and client B. What is the best method to allow communication between Client A and B? I cannot use their RFC 1918 addresses because I do not have an IPSEC policy that dictates that the other client''s network should be encrypted. I would prefer to nat the clients with addresses from my local LAN, 10.10.10.0/24, or another subnet. I tried adding this to /etc/shorewall/nat: #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL 10.10.10.10 eth1 192.168.1.101 Yes Yes 10.10.10.12 eth1 192.168.105.212 Yes Yes However when I do a tcpdump on the firewall interface I only see DNAT taking place. Is there are recommended method to provide local ips to VPN clients? thanks, Jesse -- The trenchant blade, Toledo trusty, For want of fighting was grown rusty, And ate into itself, for lack Of somebody to hew and hack. -- Samuel Butler ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jesse W. Hathaway
2007-Sep-12 20:46 UTC
Re: client to client communication in an ipsec VPN
> VPN: > > ipsec Internet 10.10.10.0/24 > +-----------------------|Shorewall Server|----|LAN| > | | > | | > +---+ |ipsec > | A | | | > +---+ +---+ > 192.168.105.212 | B |192.168.1.101 > +---+ > > > Clients A and B can both establish successful > nat encapsulated ipsec sessions to the shorewall > server. I can successfully receive and transmit > between the shorewall server and client A as well > as between the shorewall server and client B. > > What is the best method to allow communication > between Client A and B? I cannot use their > RFC 1918 addresses because I do not have an > IPSEC policy that dictates that the other > client''s network should be encrypted. > > I would prefer to nat the clients with addresses from > my local LAN, 10.10.10.0/24, or another subnet. I tried > adding this to /etc/shorewall/nat: > > #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL > 10.10.10.10 eth1 192.168.1.101 Yes Yes > 10.10.10.12 eth1 192.168.105.212 Yes Yes > > However when I do a tcpdump on the firewall interface I only see > DNAT taking place. > > Is there are recommended method to provide local ips to VPN clients?I tried adding this to shorewall/masq, but it did not SNAT the ip of the ipsec client, what is the correct way to DNAT and SNAT an ip? #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC eth0 192.168.1.101 10.10.10.10 eth0 192.168.105.212 10.10.10.12 thanks, Jesse ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jesse W. Hathaway wrote:>> VPN: >> >> ipsec Internet 10.10.10.0/24 >> +-----------------------|Shorewall Server|----|LAN| >> | | >> | | >> +---+ |ipsec >> | A | | | >> +---+ +---+ >> 192.168.105.212 | B |192.168.1.101 >> +---+ >> >> >> Clients A and B can both establish successful >> nat encapsulated ipsec sessions to the shorewall >> server. I can successfully receive and transmit >> between the shorewall server and client A as well >> as between the shorewall server and client B. >> >> What is the best method to allow communication >> between Client A and B? I cannot use their >> RFC 1918 addresses because I do not have an >> IPSEC policy that dictates that the other >> client''s network should be encrypted. >> >> I would prefer to nat the clients with addresses from >> my local LAN, 10.10.10.0/24, or another subnet. I tried >> adding this to /etc/shorewall/nat: >> >> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL >> 10.10.10.10 eth1 192.168.1.101 Yes Yes >> 10.10.10.12 eth1 192.168.105.212 Yes Yes >> >> However when I do a tcpdump on the firewall interface I only see >> DNAT taking place. >> >> Is there are recommended method to provide local ips to VPN clients? > > I tried adding this to shorewall/masq, but it did not SNAT the ip of > the ipsec client, what is the correct way to DNAT and SNAT an ip? > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC > eth0 192.168.1.101 10.10.10.10 > eth0 192.168.105.212 10.10.10.12 >You need ''yes'' in the IPSEC column if you want that to work. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Jesse W. Hathaway wrote: >>> VPN: >>> >>> ipsec Internet 10.10.10.0/24 >>> +-----------------------|Shorewall Server|----|LAN| >>> | | >>> | | >>> +---+ |ipsec >>> | A | | | >>> +---+ +---+ >>> 192.168.105.212 | B |192.168.1.101 >>> +---+ >>> >>> >>> Clients A and B can both establish successful >>> nat encapsulated ipsec sessions to the shorewall >>> server. I can successfully receive and transmit >>> between the shorewall server and client A as well >>> as between the shorewall server and client B. >>> >>> What is the best method to allow communication >>> between Client A and B? I cannot use their >>> RFC 1918 addresses because I do not have an >>> IPSEC policy that dictates that the other >>> client''s network should be encrypted. >>> >>> I would prefer to nat the clients with addresses from >>> my local LAN, 10.10.10.0/24, or another subnet. I tried >>> adding this to /etc/shorewall/nat: >>> >>> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL >>> 10.10.10.10 eth1 192.168.1.101 Yes Yes >>> 10.10.10.12 eth1 192.168.105.212 Yes Yes >>> >>> However when I do a tcpdump on the firewall interface I only see >>> DNAT taking place. >>> >>> Is there are recommended method to provide local ips to VPN clients? >> I tried adding this to shorewall/masq, but it did not SNAT the ip of >> the ipsec client, what is the correct way to DNAT and SNAT an ip? >> >> #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC >> eth0 192.168.1.101 10.10.10.10 >> eth0 192.168.105.212 10.10.10.12 >> > > You need ''yes'' in the IPSEC column if you want that to work.Please disregard my last post. I realized after I sent it that I don''t understand what you are trying to do with these rules. -Tom Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Jesse W. Hathaway wrote:>> VPN: >> >> ipsec Internet 10.10.10.0/24 >> +-----------------------|Shorewall Server|----|LAN| >> | | >> | | >> +---+ |ipsec >> | A | | | >> +---+ +---+ >> 192.168.105.212 | B |192.168.1.101 >> +---+ >> >> >> Clients A and B can both establish successful >> nat encapsulated ipsec sessions to the shorewall >> server. I can successfully receive and transmit >> between the shorewall server and client A as well >> as between the shorewall server and client B. >> >> What is the best method to allow communication >> between Client A and B? I cannot use their >> RFC 1918 addresses because I do not have an >> IPSEC policy that dictates that the other >> client''s network should be encrypted. >> >> I would prefer to nat the clients with addresses from >> my local LAN, 10.10.10.0/24, or another subnet. I tried >> adding this to /etc/shorewall/nat: >> >> #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL >> 10.10.10.10 eth1 192.168.1.101 Yes Yes >> 10.10.10.12 eth1 192.168.105.212 Yes Yes >> >> However when I do a tcpdump on the firewall interface I only see >> DNAT taking place. >> >> Is there are recommended method to provide local ips to VPN clients? > > I tried adding this to shorewall/masq, but it did not SNAT the ip of > the ipsec client, what is the correct way to DNAT and SNAT an ip? > > #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC > eth0 192.168.1.101 10.10.10.10 > eth0 192.168.105.212 10.10.10.12While by far the cleanest solution to this problem is to replace IPSEC with a sane VPN solution like OpenVPN, you might try the following (I offer absolutely no guarantees): Let 10.10.10.10 be the surrogate for 192.168.1.101 Let 10.10.10.11 be the surrogate for 192.168.105.212 Assume that the external interface is $EXT_IF and that the IPSEC zone is named ''vpn'': /etc/shorewall/masq: $EXT_IF:192.168.1.101 192.168.105.212 10.10.10.11 $EXT_IF:192.168.105.212 192.168.1.101 10.10.10.10 /etc/shorewall/rules: DNAT- vpn:192.168.1.101 net:192.168.105.212 - - - 10.10.10.11 DNAT- vpn:192.168.105.212 net:192.168.1.101 - - - 10.10.10.10 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/