Farkas Levente
2010-Jul-17 15:54 UTC
ipsec with snat not working for me. can someone help me?
hi, i try to real all kind of documentation, but still not able to setup properly my network. we''ve got a firewall which has: - eth1 network interface public ip address a.b.c.d - eth0 lan 172.22.80.1/24 - tun0 openvpn server''s interface running on this firewall 192.168.255.1/24 at the same time on this fierwall there is an ipsec tunnel to remote gateway x.y.z.w. behind the remote rateway there are a dozens of network which are all accessed through this ipsec tunnel. we use openswan for the ipsec. the ipsec tunnel working when we try to access from the lan (172.22.80.0/24), but unfortunately the remore cisco gateway configured to only allow host from this lan to access to the remote networks. but we''d like to access from our vpn network too. so i assume i can snat/masq on the firewall from 192.168.255.0/24 to 172.22.80.1 and then it''ll work. but i''m not able to make it work. ie when i try to ping from 192.168.255.1 to any remote address then the icmp packets goes out on eth1 _without_ ipsec put it into the tunnel. i read in shorewall''s ipsec howto: ----------------------------------- "In /etc/shorewall/masq, traffic that will later be encrypted is exempted from MASQUERADE/SNAT using existing entries. If you want to MASQUERADE/SNAT outgoing traffic that will later be encrypted, you must include the appropriate indication in the new IPSEC column in that file." ----------------------------------- but what does it means? i put into my masq file: ----------------------------------- $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel ----------------------------------- but try many others. none of them working. what should i''ve to write into this file in order to be able masq all traffic from the vpn network to the remote network to my lan interface''s address? thanks in advance. regards. -- Levente "Si vis pacem para bellum!" ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-18 00:54 UTC
Re: ipsec with snat not working for me. can someone help me?
On 7/17/10 8:54 AM, Farkas Levente wrote:> but what does it means?It means that column is not relevant to your problem - LEAVE IT EMPTY. i put into my masq file:> ----------------------------------- > $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel > ----------------------------------- > but try many others. none of them working. what should i''ve to write > into this file in order to be able masq all traffic from the vpn network > to the remote network to my lan interface''s address?How could we possibly know? You show us a bunch of shell variables but don''t tell us what their values are? As always when there is a connection problem, I don''t want to see configuration file contents; I want to see the output of ''shorewall dump''. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Tom Eastep
2010-Jul-18 17:44 UTC
Re: ipsec with snat not working for me. can someone help me?
On 7/17/10 5:54 PM, Tom Eastep wrote:> On 7/17/10 8:54 AM, Farkas Levente wrote: > >> but what does it means? > > It means that column is not relevant to your problem - LEAVE IT EMPTY. > > i put into my masq file: >> ----------------------------------- >> $NET_IF:$REMOTE_NET $VPNS_NET $LAN_IP - - mode=tunnel >> ----------------------------------- >> but try many others. none of them working. what should i''ve to write >> into this file in order to be able masq all traffic from the vpn network >> to the remote network to my lan interface''s address? > > How could we possibly know? You show us a bunch of shell variables but > don''t tell us what their values are? As always when there is a > connection problem, I don''t want to see configuration file contents; I > want to see the output of ''shorewall dump''.Basically, you must construct a rule that will give the packets a source IP address that is covered by your security policies. Beware, however, that I have been working with another Shorewall user (Brian Murrell) who is trying to do a similar thing and we are finding that return packets are being mysteriously dropped in pre-routing/routing (they are going through the mangle PREROUTING chain but are not reaching either the FORWARD or INPUT chains). So I can''t guarantee that you will find any solution to this problem. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first