Shorewall users - Jan 2006 - [how to] use shorwall with snat ?

Dear all,
I am new here, and dealing with a s-nat problem.
Let me explain with my poor English what I would be happy to do.
But first here is my network spec:
My local network :192.168.50.0/24
My local firewall(linux): 62.2.195.10 (public ip)
The remote firewall(cisco): 199.64.74.20
The remote network: 165.195.97.0/24

So with Racoon, I''d like to connect to the remote network. Not that
hard.
But the problem is that on the remote firewall, the granted ip from my side
must be "199.64.69.7" which is not possible as my local network is
192.168.50.0/24.
I would like then with S-NAT, to change my local network address to
199.64.69.7 when connecting to the remote network. This way, the remote
firewall will grant me the access.

I''ve carefully read the http://www.shorewall.net/IPSEC-2.6.html
tutorial.
But now I''m stuck with this Snat for a really long time.

Below you will see the information you might find useful.
If you need anything else, don’t hesitate to ask me, but I am a beginner.

Thank you for your time, and I hope you may help me.
#####################################################################
My system is:
CentOs 4 (2.6.12)
Shorewall v3.0.3
#####################################################################

#####################################################################
[root@gate]shorewall show nat |grep ipsec

    0     0 honey_dnat  all  --  eth0   *      165.195.97.0/24
0.0.0.0/0           policy match dir in pol ipsec 

    0     0 honey_dnat  all  --  eth0   *       199.64.74.20
0.0.0.0/0           policy match dir in pol ipsec 

    0     0 SNAT       all  --  *      *       192.168.50.0/24
0.0.0.0/0           policy match dir out pol ipsec to:199.64.69.7
#####################################################################

#####################################################################
/etc/shorewall/tunnels
#TYPE                   ZONE    GATEWAY         GATEWAY
#                                               ZONE
ipsec           net     199.64.74.20
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

/etc/shorewall/hosts:
#ZONE   HOST(S)                                 OPTIONS
honey   eth0:165.195.97.0/24,199.64.74.20       ipsec
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

/etc/shorewall/masq:
#INTERFACE             SUBNET          ADDRESS         PROTO   PORT(S) IPSEC
eth0                    192.168.50.0/24 199.64.69.7     -       -       Yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
#####################################################################

#####################################################################
My routes are:
192.168.254.200 dev tun1  proto kernel  scope link  src 192.168.254.201 
192.168.158.5 dev tun0  proto kernel  scope link  src 192.168.158.6 
192.168.101.8/29 dev eth1.12  proto kernel  scope link  src 192.168.101.9 
192.168.101.0/29 dev eth1.11  proto kernel  scope link  src 192.168.101.1 
192.168.101.16/29 dev eth1.13  proto kernel  scope link  src 192.168.101.17 
192.168.101.40/29 dev eth1.18  proto kernel  scope link  src 192.168.101.41 
192.168.101.56/29 dev eth1.23  proto kernel  scope link  src 192.168.101.57 
192.168.101.48/29 dev eth1.21  proto kernel  scope link  src 192.168.101.49 
192.168.101.72/29 dev eth1.25  proto kernel  scope link  src 192.168.101.73 
192.168.101.64/29 dev eth1.24  proto kernel  scope link  src 192.168.101.65 
192.168.101.88/29 dev eth1.28  proto kernel  scope link  src 192.168.101.89 
192.168.101.104/29 dev eth1.30  proto kernel  scope link  src
192.168.101.105 
192.168.16.0/27 dev eth1.19  proto kernel  scope link  src 192.168.16.28 
192.168.100.0/24 dev eth1.3  proto kernel  scope link  src 192.168.100.1 
192.168.102.0/24 dev eth1.14  proto kernel  scope link  src 192.168.102.1 
192.168.103.0/24 dev eth1.15  proto kernel  scope link  src 192.168.103.1 
192.168.50.0/24 dev eth1.10  proto kernel  scope link  src 192.168.50.1 
199.64.69.0/24 dev eth1.10  proto kernel  scope link  src 199.64.69.7 
192.168.108.0/24 dev eth1.8  proto kernel  scope link  src 192.168.108.1 
10.90.90.0/24 dev eth1.22  proto kernel  scope link  src 10.90.90.1 
192.168.110.0/24 dev eth1.16  proto kernel  scope link  src 192.168.110.1 
62.2.195.0/24 dev eth0  proto kernel  scope link  src 62.2.195.10 
192.168.104.0/24 dev eth1.27  proto kernel  scope link  src 192.168.104.1 
10.28.30.0/24 dev eth1.31  proto kernel  scope link  src 10.28.30.254 
192.168.220.0/24 via 192.168.254.200 dev tun1 
192.168.105.0/24 dev eth1.29  proto kernel  scope link  src 192.168.105.1 
192.168.106.0/24 dev eth1.20  proto kernel  scope link  src 192.168.106.1 
192.168.96.0/21 dev eth1.17  proto kernel  scope link  src 192.168.101.33 
192.168.96.0/21 dev eth1.26  proto kernel  scope link  src 192.168.101.81 
192.168.0.0/20 dev eth1.4  proto kernel  scope link  src 192.168.0.1 
169.254.0.0/16 dev eth1.31  scope link 
default via 62.2.195.1 dev eth0
#####################################################################

#####################################################################
My ip table is:
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 1000
    link/ether 00:04:23:ac:6d:44 brd ff:ff:ff:ff:ff:ff
    inet 62.2.195.10/24 brd 62.2.195.255 scope global eth0
    inet 62.2.195.11/24 brd 62.2.195.255 scope global secondary eth0:0
    inet 62.2.195.12/24 brd 62.2.195.255 scope global secondary eth0:1
    inet 62.2.195.13/24 brd 62.2.195.255 scope global secondary eth0:2
    inet 62.2.195.14/24 brd 62.2.195.255 scope global secondary eth0:3
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop qlen 1000
    link/ether 00:e0:18:46:e3:f3 brd ff:ff:ff:ff:ff:ff
5: eth1.10: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.50.1/24 brd 192.168.50.255 scope global eth1.10
    inet 199.64.69.7/24 brd 199.64.69.255 scope global eth1.10:honey
    inet 192.168.50.2/24 brd 192.168.50.255 scope global secondary eth1.10:0
6: eth1.11: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.1/29 brd 192.168.101.7 scope global eth1.11
7: eth1.12: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.9/29 brd 192.168.101.15 scope global eth1.12
8: eth1.13: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.17/29 brd 192.168.101.23 scope global eth1.13
9: eth1.14: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.102.1/24 brd 192.168.102.255 scope global eth1.14
10: eth1.15: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.103.1/24 brd 192.168.103.255 scope global eth1.15
11: eth1.16: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.110.1/24 brd 192.168.110.255 scope global eth1.16
12: eth1.17: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.33/21 brd 192.168.103.255 scope global eth1.17
13: eth1.18: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.41/29 brd 192.168.101.47 scope global eth1.18
14: eth1.19: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.16.28/27 brd 192.168.16.31 scope global eth1.19
15: eth1.20: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.106.1/24 brd 192.168.106.255 scope global eth1.20
16: eth1.21: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.49/29 brd 192.168.101.55 scope global eth1.21
17: eth1.22: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 10.90.90.1/24 brd 10.90.90.255 scope global eth1.22
18: eth1.23: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.57/29 brd 192.168.101.63 scope global eth1.23
19: eth1.24: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.65/29 brd 192.168.101.71 scope global eth1.24
20: eth1.25: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.73/29 brd 192.168.101.79 scope global eth1.25
21: eth1.26: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.81/21 brd 192.168.103.255 scope global eth1.26
22: eth1.27: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.104.1/24 brd 192.168.104.255 scope global eth1.27
23: eth1.28: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.89/29 brd 192.168.101.95 scope global eth1.28
24: eth1.29: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.105.1/24 brd 192.168.105.255 scope global eth1.29
25: eth1.3: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.100.1/24 brd 192.168.100.255 scope global eth1.3
26: eth1.30: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.101.105/29 brd 192.168.101.111 scope global eth1.30
27: eth1.4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.1/20 brd 192.168.15.255 scope global eth1.4
28: eth1.8: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.108.1/24 brd 192.168.108.255 scope global eth1.8
29: tun0: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/[65534] 
    inet 192.168.158.6 peer 192.168.158.5/32 scope global tun0
30: tun1: <POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc pfifo_fast qlen
100
    link/[65534] 
    inet 192.168.254.201 peer 192.168.254.200/32 scope global tun1
31: imq0: <NOARP,UP> mtu 1500 qdisc htb qlen 30
    link/void 
32: eth1.31: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue 
    link/ether 00:04:23:ac:6d:45 brd ff:ff:ff:ff:ff:ff
    inet 10.28.30.254/24 brd 10.28.30.255 scope global eth1.31
#####################################################################




Regards,

Frédéric Cornu
SwissLink / Openbusiness SA
World Trade Center
Av. Gratta-Paille 1-2, 1000 Lausanne 30
Switzerland





-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

On Tuesday 10 January 2006 08:24, Frédéric Cornu wrote:
> Dear all,
> I am new here, and dealing with a s-nat problem.
> Let me explain with my poor English what I would be happy to do.
> But first here is my network spec:
> My local network :192.168.50.0/24
> My local firewall(linux): 62.2.195.10 (public ip)
> The remote firewall(cisco): 199.64.74.20
> The remote network: 165.195.97.0/24
>
> #####################################################################
> /etc/shorewall/tunnels
> #TYPE                   ZONE    GATEWAY         GATEWAY
> #                                               ZONE
> ipsec           net     199.64.74.20
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
>
> /etc/shorewall/hosts:
> #ZONE   HOST(S)                                 OPTIONS
> honey   eth0:165.195.97.0/24,199.64.74.20       ipsec
> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
Placing 199.64.74.20 here is the same as placing ''honey'' in
the GATEWAY ZONE
column of /etc/shorewall/tunnels.
>
> /etc/shorewall/masq:
> #INTERFACE             SUBNET          ADDRESS         PROTO   PORT(S)
> IPSEC eth0                    192.168.50.0/24 199.64.69.7     -       -    
What is the output of ''setkey -D''?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Tuesday 10 January 2006 13:33, Tom Eastep wrote:
>
> Placing 199.64.74.20 here is the same as placing ''honey''
in the GATEWAY
> ZONE column of /etc/shorewall/tunnels.
Hmmm -- that''s not quite true, actually -- placing
''honey'' in the GATEWAY ZONE
column allows ISAKMP traffic to/from that zone (think twice and post once, 
Tom).

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

On Wednesday 11 January 2006 08:15, Frédéric Cornu
wrote:
> My ip 192.168.50.160.
> I need to connect to the remote network, in a vpn.
> But the remote firewall that will allow me the connection, waits for an
> input from 199.64.69.7 (this ip does not exist in my network).
> So I need to use s-nat to replace my ip with 199.64.69.7 when trying to
> connect to the remote network, so the remote firewall will recognize me and
> begin the security transaction with my firewall and then create the vpn
> tunnel.
If your problem is that the remote end only accepts ISAKMP from 199.64.69.7 
then there is no way to do what you are asking. If the problem is that the 
remote end will only negotiate security associations in which the remote IP 
address is 199.64.69.7 then you can TRY this (I have no idea if it will work 
or not because even with the Netfilter-IPSEC patches, I don''t believe
that
the integration between the two is complete)

/etc/shorewall/masq:

eth0:<remote network>      eth1        199.64.69.7

You cannot specify ''Yes'' in the IPSEC column because traffic
from your local
network to the remote network will not match any negotiated SA.

And PLEASE KEEP THIS DISCUSSION ON THE MAILING LIST. I don''t provide
private
consulting to Shorewall users.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

The problem is the s-NAT.
We need that our local network (192.68.50.0/24) to be "s-nat" to
199.64.69.7
before VPN negotiation (using native ipsec of the kernel 2.6). 

Now we patched our kernel with klip support (old ipsec interfaces,
ipsec0,ipsec1,..) and it''s working fine with shorewall. We managed to
establish the vpn connection.

But we''d like to know if it''s possible with the native ipsec
of the kernel
2.6 to do so?
We already tried this will all the patches you recommend in your help page
(http://www.shorewall.net/IPSEC-2.6.html).

Thank you for your time.

Regards,


Frédéric Cornu
SwissLink / Openbusiness SA
World Trade Center
Av. Gratta-Paille 1-2, 1000 Lausanne 30
Switzerland

> -----Message d''origine-----
> De : Tom Eastep [mailto:teastep@shorewall.net]
> Envoyé : jeudi, 12. janvier 2006 16:46
> À : Frédéric Cornu
> Cc : Shorewall Users
> Objet : Re: [Shorewall-users] [how to] use shorwall with snat ?
> 
> On Wednesday 11 January 2006 08:15, Frédéric Cornu wrote:
> > My ip 192.168.50.160.
> > I need to connect to the remote network, in a vpn.
> > But the remote firewall that will allow me the connection, waits for
an
> > input from 199.64.69.7 (this ip does not exist in my network).
> > So I need to use s-nat to replace my ip with 199.64.69.7 when trying
to
> > connect to the remote network, so the remote firewall will recognize
me
> and
> > begin the security transaction with my firewall and then create the
vpn
> > tunnel.
> 
> If your problem is that the remote end only accepts ISAKMP from
> 199.64.69.7
> then there is no way to do what you are asking. If the problem is that the
> remote end will only negotiate security associations in which the remote
> IP
> address is 199.64.69.7 then you can TRY this (I have no idea if it will
> work
> or not because even with the Netfilter-IPSEC patches, I don''t
believe that
> the integration between the two is complete)
> 
> /etc/shorewall/masq:
> 
> eth0:<remote network>      eth1        199.64.69.7
> 
> You cannot specify ''Yes'' in the IPSEC column because
traffic from your
> local
> network to the remote network will not match any negotiated SA.
> 
> And PLEASE KEEP THIS DISCUSSION ON THE MAILING LIST. I don''t
provide
> private
> consulting to Shorewall users.
> 
> -Tom
> --
> Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
> Shoreline,     \ http://shorewall.net
> Washington USA  \ teastep@shorewall.net
> PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_idv37&alloc_id865&op=click

On Thursday 12 January 2006 07:54, Frédéric Cornu wrote:
> The problem is the s-NAT.
> We need that our local network (192.68.50.0/24) to be "s-nat" to
> 199.64.69.7 before VPN negotiation (using native ipsec of the kernel 2.6).
>
> Now we patched our kernel with klip support (old ipsec interfaces,
> ipsec0,ipsec1,..) and it''s working fine with shorewall. We managed
to
> establish the vpn connection.
>
> But we''d like to know if it''s possible with the native
ipsec of the kernel
> 2.6 to do so?
I''ve told you all I know.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key