Hi Everyone, I''m trying to set up an IPSec tunnel between one of my offices and a vendor''s network. I have the tunnel connecting, but I''m hitting a brick wall on figuring out how to make my shorewall/iptables system work with it. This setup is very different from anything I have previously set up in that they are requiring that I use SNAT to make all packets from our network appear to be coming from a subnet that they have provided and I''m not sure I understand how to accomplish this within shorewall. Here is what we have (these aren''t the real IPs): My Network 192.168.27.1 - Firewall (Internal IP) 10.8.0.1 - Public IP 10.9.0.1 - Vendor Public IP 10.60.72.72/30 - Subnet to NAT source traffic to Here''s what I have for my IPSec config (which is connecting without issues) conn sec1 authby=secret left=10.8.0.1 leftsubnet=10.60.72.72/30 right=10.9.0.1 rightsubnet=10.167.50.56/32 auto=start pfs=no ike=aes-256-sha1-modp1024 esp=aes-256-sha1 In Shorewall I have a pretty standard 2 network card setup: eth0 - Local Network eth1 - Internet I have a couple other IPsec tunnels running on this machine and defined in the zones and tunnels files.nano t Can anyone give me some tips about how I go about NAT''ing my source traffic in shorewall for something like this? I''m thoroughly confused. Brad ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Tom Eastep
2012-Oct-18 23:31 UTC
Re: IPSec Tunnel with Source NAT Confusion (Shorewall 4.0.6)
On 10/18/12 2:33 PM, Brad Faler wrote:> Hi Everyone, > > I''m trying to set up an IPSec tunnel between one of my offices and a > vendor''s network. I have the tunnel connecting, but I''m hitting a brick > wall on figuring out how to make my shorewall/iptables system work with it. > > This setup is very different from anything I have previously set up in > that they are requiring that I use SNAT to make all packets from our > network appear to be coming from a subnet that they have provided and > I''m not sure I understand how to accomplish this within shorewall. > > Here is what we have (these aren''t the real IPs): > > My Network > > 192.168.27.1 - Firewall (Internal IP) > 10.8.0.1 - Public IP > 10.9.0.1 - Vendor Public IP > 10.60.72.72/30 - Subnet to NAT source traffic to > > Here''s what I have for my IPSec config (which is connecting without issues) > > conn sec1 > authby=secret > left=10.8.0.1 > leftsubnet=10.60.72.72/30 > right=10.9.0.1 > rightsubnet=10.167.50.56/32 > auto=start > pfs=no > ike=aes-256-sha1-modp1024 > esp=aes-256-sha1 > > In Shorewall I have a pretty standard 2 network card setup: > > eth0 - Local Network > eth1 - Internet > > I have a couple other IPsec tunnels running on this machine and defined > in the zones and tunnels files.nano t > > Can anyone give me some tips about how I go about NAT''ing my source > traffic in shorewall for something like this? I''m thoroughly confused.Try this in /etc/shorewall/masq: eth1:10.167.50.56 192.168.27.0/24 10.60.72.73 -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
Brad Faler
2012-Oct-19 21:41 UTC
Re: IPSec Tunnel with Source NAT Confusion (Shorewall 4.0.6)
I think that did the trick. Thank you very much! Brad On 10/18/2012 5:31 PM, Tom Eastep wrote:> Try this in /etc/shorewall/masq: eth1:10.167.50.56 192.168.27.0/24 > 10.60.72.73 -Tom------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct