Shorewall users - Aug 2009 - DNAT on shorewall where shorewall is the tunnel endpoint

Dear shorewall users,

I have a OPENSWAN vpn between two shorewalls. Everything is up and running
and working fine. 

First I will describe the topology. 

Left: 1.1.1.1
Leftsubnet:192.168.1.0/24
Right: 2.2.2.2
Righsubnet: 192.168.2.0/24

The Left- and Rightsubnets are not directly (static) connected to the
Shorewall but via a /30 subnet. So that means that Shorewall has no
interface either in the Left- or Rightsubnet, but this doesn''t play a
role
since routing makes it possible. 

My goal now is to talk from left to right to a nat ip (which should be
configured on the Shorewall bos right) which makes a DNAT to a host in the
Rightsubnet. 

Since Openswan does not use tunnel interfaces I am a little lost. 

Lets say my NATIP should be 5.5.5.5 and it should be dnatted to 192.168.2.1

I added a DNAT rule to the right Shorewall which looks like

DNAT	ext-if		int-if:192.168.2.1	tcp	23	-
5.5.5.5

I tried to to this with configuring 5.5.5.5 on the ext-if as an alias and I
treid it without but it seems that the nat rule is not visible inside the
tunnel since if I telnet 5.5.5.5 through tunnel I will terminate at the
Shorewall right itself instead of being natted to 192.168.2.1

Any help would be appreciated. 


Cheers
Mike






------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

Michael Weickel - iQom Business Services GmbH wrote:
> Dear shorewall users,
> 
> I have a OPENSWAN vpn between two shorewalls. Everything is up and running
> and working fine. 
> 
> First I will describe the topology. 
> 
> Left: 1.1.1.1
> Leftsubnet:192.168.1.0/24
> Right: 2.2.2.2
> Righsubnet: 192.168.2.0/24
> 
> The Left- and Rightsubnets are not directly (static) connected to the
> Shorewall but via a /30 subnet. So that means that Shorewall has no
> interface either in the Left- or Rightsubnet, but this doesn''t
play a role
> since routing makes it possible. 
> 
> My goal now is to talk from left to right to a nat ip (which should be
> configured on the Shorewall bos right) which makes a DNAT to a host in the
> Rightsubnet. 
> 
> Since Openswan does not use tunnel interfaces I am a little lost. 
> 
> Lets say my NATIP should be 5.5.5.5 and it should be dnatted to 192.168.2.1
> 
> I added a DNAT rule to the right Shorewall which looks like
> 
> DNAT	ext-if		int-if:192.168.2.1	tcp	23	-
> 5.5.5.5
> 
> I tried to to this with configuring 5.5.5.5 on the ext-if as an alias and I
> treid it without but it seems that the nat rule is not visible inside the
> tunnel since if I telnet 5.5.5.5 through tunnel I will terminate at the
> Shorewall right itself instead of being natted to 192.168.2.1
> 
> Any help would be appreciated. 
1) Why do you need to DNAT at all? The left and right networks should be

   able to communicate using their native IP addresses! If not, you have
   done something wrong in your OpenSwan configuration.

2) Your DNAT rule appears to have interface names rather than zones. If
   you want to DNAT traffic from the left network then:

	- The SOURCE is the zone that you assign to the left network.
        - The ORIGINAL DESTINATION must be an address that the left
          network uses the tunnel to communicate with.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

The reason for that is that the leftsubnet and the rightsubnet will (in a
few moments) bet he same. I did an absurd mistake while taking the
tunnelendpoint zone instead of the one where the leftsubnet is assigned to. 

Your hint "The SOURCE is the zone that you assign to the left network"
gave
the go-ahead. 

Thanks a lot Tom.


Mike
 

-----Ursprüngliche Nachricht-----
Von: Tom Eastep [mailto:teastep@shorewall.net] 
Gesendet: Dienstag, 25. August 2009 17:13
An: Shorewall Users
Betreff: Re: [Shorewall-users] DNAT on shorewall where shorewall is the
tunnel endpoint

Michael Weickel - iQom Business Services GmbH wrote:
> Dear shorewall users,
> 
> I have a OPENSWAN vpn between two shorewalls. Everything is up and running
> and working fine. 
> 
> First I will describe the topology. 
> 
> Left: 1.1.1.1
> Leftsubnet:192.168.1.0/24
> Right: 2.2.2.2
> Righsubnet: 192.168.2.0/24
> 
> The Left- and Rightsubnets are not directly (static) connected to the
> Shorewall but via a /30 subnet. So that means that Shorewall has no
> interface either in the Left- or Rightsubnet, but this doesn''t
play a role
> since routing makes it possible. 
> 
> My goal now is to talk from left to right to a nat ip (which should be
> configured on the Shorewall bos right) which makes a DNAT to a host in the
> Rightsubnet. 
> 
> Since Openswan does not use tunnel interfaces I am a little lost. 
> 
> Lets say my NATIP should be 5.5.5.5 and it should be dnatted to
192.168.2.1
> 
> I added a DNAT rule to the right Shorewall which looks like
> 
> DNAT	ext-if		int-if:192.168.2.1	tcp	23	-
> 5.5.5.5
> 
> I tried to to this with configuring 5.5.5.5 on the ext-if as an alias and
I
> treid it without but it seems that the nat rule is not visible inside the
> tunnel since if I telnet 5.5.5.5 through tunnel I will terminate at the
> Shorewall right itself instead of being natted to 192.168.2.1
> 
> Any help would be appreciated. 
1) Why do you need to DNAT at all? The left and right networks should be

   able to communicate using their native IP addresses! If not, you have
   done something wrong in your OpenSwan configuration.

2) Your DNAT rule appears to have interface names rather than zones. If
   you want to DNAT traffic from the left network then:

	- The SOURCE is the zone that you assign to the left network.
        - The ORIGINAL DESTINATION must be an address that the left
          network uses the tunnel to communicate with.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what''s new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july