I have a server with two NICs, one connected directly to the Internet (and thus with a valid public IP address), and the other to a 192.168.0.0/24 LAN (server address 192.168.0.1). Masquerading is set up (via the masq file) from the LAN to Internet interfaces and works as expected. The server also runs an l2tp/ipsec VPN, and clients connected via that VPN are allowed further access (which isn''t important here). Clients on the LAN can establish a VPN connection to the 192.168.0.1 without problem. However, we want to be able to establish a VPN connect from a LAN client by specifying the external IP address of the server. Despite SNAT being in place and working, attempts to establish a VPN connection to the external server address fail, and looking at the logs, pluto (the IPsec server) is reporting the connection as coming from the client''s 192.168.0.0/24 address. I suspect the setup of the VPN is failing because the client is sending TO the external IP address and receiving reply packets BACK from the 192.168.0.1 address. I am sure there must be a way of having NAT work within the server from one interface to another, but I can''t see how to do that, and I''d be grateful for any pointers. I hope the above explanation is clear, but if not then please ask questions. Thanks for any help, Keith ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
On Wed, 2007-09-12 at 16:48 +0100, Keith Edmunds wrote:> However, we want to be able to establish a VPN connect from > a LAN client by specifying the external IP address of the > server.This sounds suspiciously like Shorewall FAQ 2. Do you want to do that simply because you don''t want to go to the effort of setting up split DNS?> Despite SNAT being in place and working, attempts to > establish a VPN connection to the external server address > fail, and looking at the logs, pluto (the IPsec server) is > reporting the connection as coming from the client''s > 192.168.0.0/24 address.Good -- because that''s where it is coming from.> I suspect the setup of the VPN is > failing because the client is sending TO the external IP > address and receiving reply packets BACK from the > 192.168.0.1 address.I suspect that is not the cause -- but it could be verified by looking at packet traces.> > I am sure there must be a way of having NAT work within the > server from one interface to another,There is not. The SOURCE IP address may only be altered in the mangle table''s POSTROUTING chain which is not traversed by traffic addressed to the firewall itself. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/