OK, here''s the scoop. Internal HOME network is 172.16.1.x Internal WORK network is 172.21.1.x External WORK VPN gateway is 10.10.1.1 Problem: My CP Client repeatedly tries to connect to a 172.21.x.x address on UDP/500. I am looking for a rule that essentially NAT''s connections to 172.21.1.x:500 to 10.10.1.1:500. This configuration worked for me in the past before I used Shorewall, I just cannot for the life of me figure this one out. I have tried various iterations of DNAT, REDIRECT, etc. Help is appreciated. Bob __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
On Tue, Sep 06, 2005 at 07:15:36PM -0700, Bob Perciaccante Jr wrote:> OK, here''s the scoop. > > Internal HOME network is 172.16.1.x > Internal WORK network is 172.21.1.x > External WORK VPN gateway is 10.10.1.1 > > Problem: My CP Client repeatedly tries to connect to a 172.21.x.x address on > UDP/500. I am looking for a rule that essentially NAT''s connections to > 172.21.1.x:500 to 10.10.1.1:500. This configuration worked for me in the past > before I used Shorewall, I just cannot for the life of me figure this one out. > I have tried various iterations of DNAT, REDIRECT, etc.I''d say this is a job for DNAT. What have you tried? Something like: # /etc/shorewall/rules DNAT loc loc:10.10.1.1 udp 500 You can tell of the NAT rule is working by checking the NAT counters # shorewall show nat ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Marc Singer wrote:> On Tue, Sep 06, 2005 at 07:15:36PM -0700, Bob Perciaccante Jr wrote: >> OK, here''s the scoop. >> >> Internal HOME network is 172.16.1.x >> Internal WORK network is 172.21.1.x >> External WORK VPN gateway is 10.10.1.1 >> >> Problem: My CP Client repeatedly tries to connect to a 172.21.x.x address on >> UDP/500. I am looking for a rule that essentially NAT''s connections to >> 172.21.1.x:500 to 10.10.1.1:500. This configuration worked for me in the past >> before I used Shorewall, I just cannot for the life of me figure this one out. >> I have tried various iterations of DNAT, REDIRECT, etc. > > I''d say this is a job for DNAT. What have you tried? Something like: > > # /etc/shorewall/rules > DNAT loc loc:10.10.1.1 udp 500 > > You can tell of the NAT rule is working by checking the NAT counters > > # shorewall show nat >IPSEC generally can''t be used over NAT -- that''s why the IPSEC folks have worked so hard to come up with NAT-T support for IPSEC (typically using UDP port 4500). In short, trying to do NAT without NAT-T is usually a lost cause.>From the Shorewall home page, click on the menu item "LinuxFest NW 2005Presentation" in the left frame to learn more. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
My client is configured to use IPSEC over NAT, the problem lies in the destination host. In my previous firewall installation, I simply added a NAT rule that sent all traffic destined for 172.21.1.10 (internal VPN address) to 10.10.1.1 (external VPN address). Does that make more sense? I apologize if I am not explaining it properly. Bob --- Tom Eastep <teastep@shorewall.net> wrote:> Marc Singer wrote: > > On Tue, Sep 06, 2005 at 07:15:36PM -0700, Bob Perciaccante Jr wrote: > >> OK, here''s the scoop. > >> > >> Internal HOME network is 172.16.1.x > >> Internal WORK network is 172.21.1.x > >> External WORK VPN gateway is 10.10.1.1 > >> > >> Problem: My CP Client repeatedly tries to connect to a 172.21.x.x address > on > >> UDP/500. I am looking for a rule that essentially NAT''s connections to > >> 172.21.1.x:500 to 10.10.1.1:500. This configuration worked for me in the > past > >> before I used Shorewall, I just cannot for the life of me figure this one > out. > >> I have tried various iterations of DNAT, REDIRECT, etc. > > > > I''d say this is a job for DNAT. What have you tried? Something like: > > > > # /etc/shorewall/rules > > DNAT loc loc:10.10.1.1 udp 500 > > > > You can tell of the NAT rule is working by checking the NAT counters > > > > # shorewall show nat > > > > IPSEC generally can''t be used over NAT -- that''s why the IPSEC folks > have worked so hard to come up with NAT-T support for IPSEC (typically > using UDP port 4500). In short, trying to do NAT without NAT-T is > usually a lost cause. > > >From the Shorewall home page, click on the menu item "LinuxFest NW 2005 > Presentation" in the left frame to learn more. > > -Tom > -- > Tom Eastep \ Nothing is foolproof to a sufficiently talented fool > Shoreline, \ http://shorewall.net > Washington USA \ teastep@shorewall.net > PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key >__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> My client is configured to use IPSEC over NAT, the problem lies in the > destination host. > > In my previous firewall installation, I simply added a NAT rule that sent all > traffic destined for 172.21.1.10 (internal VPN address) to 10.10.1.1 (external > VPN address). > > Does that make more sense? I apologize if I am not explaining it properly. > > BobIf you post the iptables commands you were using, perhaps we could translate it for you. Jerry ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf