OK, here''s my challenge: I have two sites connected to each other via an IPSec tunnel. One end is a Cisco PIX and my end is OpenSwan 2.2. I have the latest flavor of Shorewall installed and running. I have a stock install of Suse9.3, which includes the 2.6 kernel. The tunnel is running, but it requires a private IP at both ends of the link to NAT traffic between the real, physical subnets. Diagrammed example below: Subnet1 (192.168.20.0/24) | Cisco PIX (SNAT''s from 192.168.250.70) | Internet | OpenSwan/Shorewall (SNAT''s from 192.168.213.1) | Subnet2 (192.168.1.0/24) The subnetting is not scary, and the IPSec side of things works just fine. Systems in subnet2 can communicate with a system in 192.168.20.0/24 that is has a DNAT''d service from 192.168.250.70. The problem is that I need to set up some sort of DNAT rule to enable access to a service in subnet2 from subnet1. The address that I need to use on my end is 192.168.213.2, which the IPSec tunnel will allow (it has a 192.168.213.0/30 range assigned to the endpoint). My question is: How do I set up a rule to DNAT traffic coming from 192.168.250.70 over the IPSec tunnel destined for 192.168.213.2 to 192.168.1.117? This is for an HPJD device, so only TCP port 9100 is needed. I have a rule in place now that says this: DNAT all loc:192.168.1.117 tcp 9100 - 192.168.213.2 ...but this doesn''t work. I guess I mostly just need to figure out what interface/zone decrypted traffic shows up in Shorewall so I can DNAT from there. I think I liked the 2.4 kernel way of dealing with traffic better (ipsec0)...it sure seemed to make more sense to me. :^) -Ty ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
List Receiver wrote:> OK, here''s my challenge: > > I have two sites connected to each other via an IPSec tunnel. One end > is a Cisco PIX and my end is OpenSwan 2.2. I have the latest flavor of > Shorewall installed and running. I have a stock install of Suse9.3, > which includes the 2.6 kernel. > > The tunnel is running, but it requires a private IP at both ends of the > link to NAT traffic between the real, physical subnets. Diagrammed > example below: > > Subnet1 (192.168.20.0/24) > | > Cisco PIX (SNAT''s from 192.168.250.70) > | > Internet > | > OpenSwan/Shorewall (SNAT''s from 192.168.213.1) > | > Subnet2 (192.168.1.0/24)I don''t understand the above diagram. The phase "SNAT''s from" makes no sense to me given that neither IP address has any relationship to the local networks. If 192.168.20.4 sends a connection request to 192.168.1.9, what is the source IP address when the the packet reaches 192.168.1.9? Who rewrites the source IP address? The PIX or the Shorewall box? Does 192.168.20.4 send the request directly to 192.168.1.9 or must it address the request to some other IP address? If the latter, then what address does it send to and who rewrites the destination IP address? It might help if you forwarded the output of "shorewall status" so we can try to understand the configuration.> The subnetting is not scary and the IPSec side of things works just > fine. Systems in subnet2 can communicate with a system in > 192.168.20.0/24 that is has a DNAT''d service from 192.168.250.70.Now you are talking about "DNAT''d from..." -- I''m completely lost. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
I agree that it''s certainly confusing. Attached is the output of
"shorewall
status".
It''s difficult to do an entirely complete diagram in text, given this
configuration. Each IP listed as an SNAT is, for lack of a better name, a
virtual interface. The PIX has a local address in subnet1, and the
Openswan/Shorewall box has a local address in subnet2. The PIX operator
will not allow a straight subnet to subnet VPN, hence the mandated need for
the "fake" addresses to do PAT-style traffic handling. Let my try to
diagram just the flow of traffic from PIX to Shorewall through the IPSec
tunnel alone:
Subnet1 (192.168.20.0/24)
|
192.168.20.1 (Physical interface address)
Cisco PIX (Outbound VPN traffic NAT''d to appear as though it''s
from
192.168.250.70)
|
VPN tunnel (routed from 192.168.250.70 to 192.168.213.1/30...no nat in this
step)
|
192.168.213.1 and .2 ("fake" addresses...just set up as alias
interfaces
now, but whatever works is what I''ll do)
OpenSwan/Shorewall (Inbound requests to tcp port 9100 on the .2 address
should be NAT''d to 192.168.1.117)
192.168.1.254 (Physical interface address)
|
Subnet2 (192.168.1.0/24)
Traffic in the reverse direction already works. In other words, the PIX
operator has the ability to handle this: (read from bottom to top)
Subnet1 (192.168.20.0/24)
|
192.168.20.1 (Physical interface address)
Cisco PIX (Inbound traffic destined for 192.168.250.70 is NAT''d to
internal
host 192.168.20.23)
|
VPN tunnel (routed from 192.168.213.1/30 to 192.168.250.70...no nat in this
step)
|
192.168.213.1 and .2 ("fake" addresses...just set up as alias
interfaces
now, but whatever works is what I''ll do)
OpenSwan/Shorewall (Outbound VPN traffic NAT''d to appear as though
it''s from
192.168.213.1)
192.168.1.254 (Physical interface address)
|
Subnet2 (192.168.1.0/24)
I don''t know if this clears anything up or not. It''s confused
the heck out
of me, because I''m not used to IPSec/2.6 kernel/multiple levels of NAT
all
at the same time. :^(
Again, all I''m trying to accomplish is to get tcp port 9100 on the
192.168.213.2 address NAT''d to 192.168.1.117 in the real subnet2 so
that VPN
hosts in subnet1 can connect to it.
Does that help any?
Thanks a bunch,
Ty
-----Original Message-----
From: shorewall-users-admin@lists.sourceforge.net
[mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep
Sent: Tuesday, October 18, 2005 5:28 PM
To: shorewall-users@lists.sourceforge.net
Subject: Re: [Shorewall-users] IPSec/DNAT question
List Receiver wrote:> OK, here''s my challenge:
>
> I have two sites connected to each other via an IPSec tunnel. One end
> is a Cisco PIX and my end is OpenSwan 2.2. I have the latest flavor
> of Shorewall installed and running. I have a stock install of
> Suse9.3, which includes the 2.6 kernel.
>
> The tunnel is running, but it requires a private IP at both ends of
> the link to NAT traffic between the real, physical subnets.
> Diagrammed example below:
>
> Subnet1 (192.168.20.0/24)
> |
> Cisco PIX (SNAT''s from 192.168.250.70)
> |
> Internet
> |
> OpenSwan/Shorewall (SNAT''s from 192.168.213.1)
> |
> Subnet2 (192.168.1.0/24)
I don''t understand the above diagram. The phase "SNAT''s
from" makes no sense
to me given that neither IP address has any relationship to the local
networks.
If 192.168.20.4 sends a connection request to 192.168.1.9, what is the
source IP address when the the packet reaches 192.168.1.9? Who rewrites the
source IP address? The PIX or the Shorewall box? Does 192.168.20.4 send the
request directly to 192.168.1.9 or must it address the request to some other
IP address? If the latter, then what address does it send to and who
rewrites the destination IP address?
It might help if you forwarded the output of "shorewall status" so we
can
try to understand the configuration.
> The subnetting is not scary and the IPSec side of things works just
> fine. Systems in subnet2 can communicate with a system in
> 192.168.20.0/24 that is has a DNAT''d service from 192.168.250.70.
Now you are talking about "DNAT''d from..." -- I''m
completely lost.
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 19 October 2005 07:30, List Receiver wrote:> I agree that it''s certainly confusing. Attached is the output of > "shorewall status". > > It''s difficult to do an entirely complete diagram in text, given this > configuration. Each IP listed as an SNAT is, for lack of a better name, a > virtual interface. The PIX has a local address in subnet1, and the > Openswan/Shorewall box has a local address in subnet2. The PIX operator > will not allow a straight subnet to subnet VPN, hence the mandated need for > the "fake" addresses to do PAT-style traffic handling. Let my try to > diagram just the flow of traffic from PIX to Shorewall through the IPSec > tunnel alone: > > Subnet1 (192.168.20.0/24) > > 192.168.20.1 (Physical interface address) > Cisco PIX (Outbound VPN traffic NAT''d to appear as though it''s from > 192.168.250.70) > > VPN tunnel (routed from 192.168.250.70 to 192.168.213.1/30...no nat in this > step) > > 192.168.213.1 and .2 ("fake" addresses...just set up as alias interfaces > now, but whatever works is what I''ll do) > OpenSwan/Shorewall (Inbound requests to tcp port 9100 on the .2 address > should be NAT''d to 192.168.1.117) > 192.168.1.254 (Physical interface address) >DNAT vpn loc:192.168.1.117 tcp 9100 - 192.168.213.2 Where ''vpn'' is the ipsec zone that represents the remote subnet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
That made sense to me in the old, 2.4 kernel model, since I could assign the ipsec0 interface to a "vpn" zone. How do I do that, though, with the 2.6 kernel model. The zone hosts? I''ve added your rule and added this to the hosts file: vpn eth1:192.168.250.70 I''m assuming this is correct, given that eth1 is the interface that has the public IP? -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Wednesday, October 19, 2005 7:44 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPSec/DNAT question On Wednesday 19 October 2005 07:30, List Receiver wrote:> I agree that it''s certainly confusing. Attached is the output of > "shorewall status". > > It''s difficult to do an entirely complete diagram in text, given this > configuration. Each IP listed as an SNAT is, for lack of a better > name, a virtual interface. The PIX has a local address in subnet1, > and the Openswan/Shorewall box has a local address in subnet2. The > PIX operator will not allow a straight subnet to subnet VPN, hence the > mandated need for the "fake" addresses to do PAT-style traffic > handling. Let my try to diagram just the flow of traffic from PIX to > Shorewall through the IPSec tunnel alone: > > Subnet1 (192.168.20.0/24) > > 192.168.20.1 (Physical interface address) Cisco PIX (Outbound VPN > traffic NAT''d to appear as though it''s from > 192.168.250.70) > > VPN tunnel (routed from 192.168.250.70 to 192.168.213.1/30...no nat in > this > step) > > 192.168.213.1 and .2 ("fake" addresses...just set up as alias > interfaces now, but whatever works is what I''ll do) OpenSwan/Shorewall > (Inbound requests to tcp port 9100 on the .2 address should be NAT''d > to 192.168.1.117) > 192.168.1.254 (Physical interface address) >DNAT vpn loc:192.168.1.117 tcp 9100 - 192.168.213.2 Where ''vpn'' is the ipsec zone that represents the remote subnet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Whoops...sorry to reply to myself. I actually added this to the hosts file: vpn eth1:192.168.250.70 ipsec -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of List Receiver Sent: Wednesday, October 19, 2005 8:40 AM To: shorewall-users@lists.sourceforge.net Subject: RE: [Shorewall-users] IPSec/DNAT question That made sense to me in the old, 2.4 kernel model, since I could assign the ipsec0 interface to a "vpn" zone. How do I do that, though, with the 2.6 kernel model. The zone hosts? I''ve added your rule and added this to the hosts file: vpn eth1:192.168.250.70 I''m assuming this is correct, given that eth1 is the interface that has the public IP? -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Wednesday, October 19, 2005 7:44 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPSec/DNAT question On Wednesday 19 October 2005 07:30, List Receiver wrote:> I agree that it''s certainly confusing. Attached is the output of > "shorewall status". > > It''s difficult to do an entirely complete diagram in text, given this > configuration. Each IP listed as an SNAT is, for lack of a better > name, a virtual interface. The PIX has a local address in subnet1, > and the Openswan/Shorewall box has a local address in subnet2. The > PIX operator will not allow a straight subnet to subnet VPN, hence the > mandated need for the "fake" addresses to do PAT-style traffic > handling. Let my try to diagram just the flow of traffic from PIX to > Shorewall through the IPSec tunnel alone: > > Subnet1 (192.168.20.0/24) > > 192.168.20.1 (Physical interface address) Cisco PIX (Outbound VPN > traffic NAT''d to appear as though it''s from > 192.168.250.70) > > VPN tunnel (routed from 192.168.250.70 to 192.168.213.1/30...no nat in > this > step) > > 192.168.213.1 and .2 ("fake" addresses...just set up as alias > interfaces now, but whatever works is what I''ll do) OpenSwan/Shorewall > (Inbound requests to tcp port 9100 on the .2 address should be NAT''d > to 192.168.1.117) > 192.168.1.254 (Physical interface address) >DNAT vpn loc:192.168.1.117 tcp 9100 - 192.168.213.2 Where ''vpn'' is the ipsec zone that represents the remote subnet. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 19 October 2005 08:42, List Receiver wrote:> Whoops...sorry to reply to myself. I actually added this to the hosts > file: > > vpn eth1:192.168.250.70 ipsec >Looks correct -- provided that you have policy match support (and the IPSEC-Netfilter patches). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
It turned out that it worked...thanks for your help. I could have sworn I tried that in all the testing I did yesterday... :^( Oh well! -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Tom Eastep Sent: Wednesday, October 19, 2005 9:08 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] IPSec/DNAT question On Wednesday 19 October 2005 08:42, List Receiver wrote:> Whoops...sorry to reply to myself. I actually added this to the hosts > file: > > vpn eth1:192.168.250.70 ipsec >Looks correct -- provided that you have policy match support (and the IPSEC-Netfilter patches). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key