All, I''ve got an ipsec VPN server running on Debian etch with shorewall 3.4.4. I''ve got a VPN tunnel requirement to source nat all traffic from my local net to a single ip BEFORE it gets into the VPN tunnel. I''ve seen a few discussions about this, but am still unable to make it work. The remote side still sees my internal network when attempting to establish the tunnel. Here are the configs: 1.1.1.1 = Ip of remote VPN peer 2.2.2.0/24= Remote Internal Network 3.3.3.0/24= My Internal Network 4.4.4.4= Ip to Source Nat as to the remote net Hosts File vpn eth0:1.1.1.1,2.2.2.0/24 ipsec Tunnels File ipsec:noah net 1.1.1.1 vpn Masq file eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp Any help you all could provide would be much appreciated. Let me know if any further explanation is required. -- -Mike ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Mike Jaquays wrote:> All, > > I''ve got an ipsec VPN server running on Debian etch with shorewall > 3.4.4. I''ve got a VPN tunnel requirement to source nat all traffic from > my local net to a single ip BEFORE it gets into the VPN tunnel. I''ve > seen a few discussions about this, but am still unable to make it work. > The remote side still sees my internal network when attempting to > establish the tunnel. Here are the configs: > > > 1.1.1.1 = Ip of remote VPN peer > 2.2.2.0/24= Remote Internal Network > 3.3.3.0/24= My Internal Network > 4.4.4.4= Ip to Source Nat as to the remote net > > > Hosts File > vpn eth0:1.1.1.1,2.2.2.0/24 ipsec > > Tunnels File > ipsec:noah net 1.1.1.1 vpn > > Masq file > eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp > > > Any help you all could provide would be much appreciated. Let me know > if any further explanation is required. > >What security policies do you have on each end? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
I can tell you what I have on my side, but I''d be guessing as to what
the remote side has.
5.5.5.5 = My vpn server pub ip
spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-5.5.5.5/require;
spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec
esp/tunnel/5.5.5.5-1.1.1.1/require;
spdadd 2.2.2.0/24 4.4.4.4/32 any -P in ipsec
esp/tunnel/1.1.1.1-5.5.5.5/require;
spdadd 4.4.4.4/32 2.2.2.0/24 any -P out ipsec
esp/tunnel/5.5.5.5-1.1.1.1/require;
----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "Shorewall Users" <shorewall-users@lists.sourceforge.net>
Sent: Thursday, December 13, 2007 3:41:14 PM (GMT-0600) America/Chicago
Subject: Re: [Shorewall-users] Source Nat and VPN Tunnels
Mike Jaquays wrote:> All,
>
> I''ve got an ipsec VPN server running on Debian etch with shorewall
> 3.4.4. I''ve got a VPN tunnel requirement to source nat all
traffic from
> my local net to a single ip BEFORE it gets into the VPN tunnel.
I''ve
> seen a few discussions about this, but am still unable to make it work.
> The remote side still sees my internal network when attempting to
> establish the tunnel. Here are the configs:
>
>
> 1.1.1.1 = Ip of remote VPN peer
> 2.2.2.0/24= Remote Internal Network
> 3.3.3.0/24= My Internal Network
> 4.4.4.4= Ip to Source Nat as to the remote net
>
>
> Hosts File
> vpn eth0:1.1.1.1,2.2.2.0/24 ipsec
>
> Tunnels File
> ipsec:noah net 1.1.1.1 vpn
>
> Masq file
> eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp
>
>
> Any help you all could provide would be much appreciated. Let me know
> if any further explanation is required.
>
>
What security policies do you have on each end?
-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Mike Jaquays wrote:> I can tell you what I have on my side, but I''d be guessing as to what the remote side has.Er -- so long as you have ''require'' on all of yours, then the other end''s policies must match yours. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Ok, but that wouldn''t cause issues with the source NAT would it? -Mike Tom Eastep wrote:> Mike Jaquays wrote: >> I can tell you what I have on my side, but I''d be guessing as to what the remote side has. > > Er -- so long as you have ''require'' on all of yours, then the other end''s > policies must match yours. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Mike Jaquays wrote:> Ok, but that wouldn''t cause issues with the source NAT would it?I''m trying to understand why you have this silly source NAT requirement in the first place. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
The remote side admin has requested we source nat all of our local network traffic to avoid network conflicts and such. Trust me, if it weren''t a requirement from our remote partner I wouldn''t even bother. -Mike Tom Eastep wrote:> Mike Jaquays wrote: >> Ok, but that wouldn''t cause issues with the source NAT would it? > > I''m trying to understand why you have this silly source NAT requirement in > the first place. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
Mike Jaquays wrote:> The remote side admin has requested we source nat all of our local > network traffic to avoid network conflicts and such. Trust me, if it > weren''t a requirement from our remote partner I wouldn''t even bother. >Then I would: a) Delete the 2.2.2.0/24<->3.3.3.0/24 security policies. b) Remove the IPSEC ''OPTIONS'' from your masq rule. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
I''ll give it a shot. Thanks! -Mike Tom Eastep wrote:> Mike Jaquays wrote: >> The remote side admin has requested we source nat all of our local >> network traffic to avoid network conflicts and such. Trust me, if it >> weren''t a requirement from our remote partner I wouldn''t even bother. >> > > Then I would: > > a) Delete the 2.2.2.0/24<->3.3.3.0/24 security policies. > b) Remove the IPSEC ''OPTIONS'' from your masq rule. > > -Tom > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: > Check out the new SourceForge.net Marketplace. > It''s the best place to buy or sell services > for just about anything Open Source. > http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace > > > ------------------------------------------------------------------------ > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------------------------- SF.Net email is sponsored by: Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace