Hi
I wanted to ask the experts here for advice on this desired setup. I
looked at all the documentation I could find and am now resorting to
asking an expert. My company requires a site to site vpn with another
company which does not want to see our internal network on their side.
They only want to see a public IP address of our VPN
10.XX.X.X <-------------------> 88.XX.XX.XX<
---------------------------------------------------> 22.XX.XX.XX<
---------------------->64.XX.XX.XX
Our Private Network VPN Gateway IPSecTunnel
Our Clients'' VPN GW Their Server SUBNET
Normally computers on our network can see the computers on theirs
however we are required to SNAT all our connections such that they
only see this type of configuration. That is even their internal
machines must see our public IP-address only.
This is what we need to do. SNAT all requests from the internal
machines before send them through the VPN.
SNAT
10.XX.X.X <-------------------> 88.XX.XX.XX<
---------------------------------------------------> 22.XX.XX.XX<
---------------------->64.XX.XX.XX
Our Private Network VPN Gateway IPSecTunnel
Our Clients'' VPN GW Their Server SUBNET
This is what they want to see... from their side
88.XX.XX.XX<-------------------------------------------->22.XX.XX.XX<----------------->64.XX.XX.XX
VPN Gateway IPSecTunnel Our Client''s VPN GW
Their Server SUBNET
Is this possible with Linux 2.6.XX and shorewall? We have no software
or hardware restriction on our side.
Thanks to anybody who can give some advice.
Shankhadeep
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
The indentation messed things up a bit. So i will clarify
10.XX.XX.XX - Our Network - A
88.XX.XX.XX - Our Gateway - B
22.XX.XX.XX - Their Gateway -C
64.XX.XX.XX - Their Subnet - D
Structure
10.XX.X.X <-----> 88.XX.XX.XX< --VPN---> 22.XX.XX.XX<
--->64.XX.XX.XX
What we need
SNAT
10.XX.X.X <------------> 88.XX.XX.XX< --VPN---> 22.XX.XX.XX<
--->64.XX.XX.XX
What they want to see from their side
88.XX.XX.XX< --VPN---> 22.XX.XX.XX< --->64.XX.XX.XX
On Jan 16, 2008 5:15 PM, Shankhadeep Shome <shank15217@gmail.com>
wrote:> Hi
>
> I wanted to ask the experts here for advice on this desired setup. I
> looked at all the documentation I could find and am now resorting to
> asking an expert. My company requires a site to site vpn with another
> company which does not want to see our internal network on their side.
> They only want to see a public IP address of our VPN
>
> 10.XX.X.X <-------------------> 88.XX.XX.XX<
> ---------------------------------------------------> 22.XX.XX.XX<
> ---------------------->64.XX.XX.XX
> Our Private Network VPN Gateway IPSecTunnel
> Our Clients'' VPN GW Their Server SUBNET
>
> Normally computers on our network can see the computers on theirs
> however we are required to SNAT all our connections such that they
> only see this type of configuration. That is even their internal
> machines must see our public IP-address only.
>
>
> This is what we need to do. SNAT all requests from the internal
> machines before send them through the VPN.
>
> SNAT
> 10.XX.X.X <-------------------> 88.XX.XX.XX<
> ---------------------------------------------------> 22.XX.XX.XX<
> ---------------------->64.XX.XX.XX
> Our Private Network VPN Gateway IPSecTunnel
> Our Clients'' VPN GW Their Server SUBNET
>
>
> This is what they want to see... from their side
>
>
88.XX.XX.XX<-------------------------------------------->22.XX.XX.XX<----------------->64.XX.XX.XX
> VPN Gateway IPSecTunnel Our Client''s VPN GW
> Their Server SUBNET
>
> Is this possible with Linux 2.6.XX and shorewall? We have no software
> or hardware restriction on our side.
>
> Thanks to anybody who can give some advice.
>
> Shankhadeep
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Shankhadeep Shome wrote:> The indentation messed things up a bit. So i will clarify > > 10.XX.XX.XX - Our Network - A > 88.XX.XX.XX - Our Gateway - B > 22.XX.XX.XX - Their Gateway -C > 64.XX.XX.XX - Their Subnet - D > > Structure > > 10.XX.X.X <-----> 88.XX.XX.XX< --VPN---> 22.XX.XX.XX< --->64.XX.XX.XX > > What we need > > SNAT > 10.XX.X.X <------------> 88.XX.XX.XX< --VPN---> 22.XX.XX.XX< --->64.XX.XX.XX > > What they want to see from their side > > 88.XX.XX.XX< --VPN---> 22.XX.XX.XX< --->64.XX.XX.XX >Is there no possibility to use a sane VPN solution like OpenVPN? -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
Tom Eastep wrote:> Shankhadeep Shome wrote:[...]> > Is there no possibility to use a sane VPN solution like OpenVPN?haha ... Sorry couldn''t resist. But OpenVPN is indeed one of the most stable, reliable and easy to use solutions I know on the field... I even use it @ Home - as my WiFi is not able to do more than WEP 128Bit - for all system accesses ... Anything not coming out of the VPN is not routed - e.g. dropped. -- ------------------------------------------------------------------------ | Joerg Mertin : smurphy@solsys.org (Home)| | in Forchheim/Germany : smurphy@linux.de (Alt1)| | Stardust''s LiNUX System : | | Web: http://www.solsys.org | ------------------------------------------------------------------------ PGP Fingerprint: AF0F FB75 997B 025F 4538 5AD6 9888 5D97 170B 8B7A ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/