Shorewall users - Oct 2012 - IPSec Tunnel with Source NAT Confusion (Shorewall 4.0.6)

Hi Everyone,

I''m trying to set up an IPSec tunnel between one of my offices and a 
vendor''s network.  I have the tunnel connecting, but I''m
hitting a brick
wall on figuring out how to make my shorewall/iptables system work with it.

This setup is very different from anything I have previously set up in 
that they are requiring that I use SNAT to make all packets from our 
network appear to be coming from a subnet that they have provided and 
I''m not sure I understand how to accomplish this within shorewall.

Here is what we have (these aren''t the real IPs):

My Network

192.168.27.1 - Firewall (Internal IP)
10.8.0.1 - Public IP
10.9.0.1 - Vendor Public IP
10.60.72.72/30 - Subnet to NAT source traffic to

Here''s what I have for my IPSec config (which is connecting without
issues)

conn sec1
         authby=secret
         left=10.8.0.1
         leftsubnet=10.60.72.72/30
         right=10.9.0.1
         rightsubnet=10.167.50.56/32
         auto=start
         pfs=no
         ike=aes-256-sha1-modp1024
         esp=aes-256-sha1

In Shorewall I have a pretty standard 2 network card setup:

eth0 - Local Network
eth1 - Internet

I have a couple other IPsec tunnels running on this machine and defined 
in the zones and tunnels files.nano t

Can anyone give me some tips about how I go about NAT''ing my source 
traffic in shorewall for something like this?  I''m thoroughly confused.

Brad


------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

On 10/18/12 2:33 PM, Brad Faler wrote:
> Hi Everyone,
> 
> I''m trying to set up an IPSec tunnel between one of my offices and
a
> vendor''s network.  I have the tunnel connecting, but I''m
hitting a brick
> wall on figuring out how to make my shorewall/iptables system work with it.
> 
> This setup is very different from anything I have previously set up in 
> that they are requiring that I use SNAT to make all packets from our 
> network appear to be coming from a subnet that they have provided and 
> I''m not sure I understand how to accomplish this within shorewall.
> 
> Here is what we have (these aren''t the real IPs):
> 
> My Network
> 
> 192.168.27.1 - Firewall (Internal IP)
> 10.8.0.1 - Public IP
> 10.9.0.1 - Vendor Public IP
> 10.60.72.72/30 - Subnet to NAT source traffic to
> 
> Here''s what I have for my IPSec config (which is connecting
without issues)
> 
> conn sec1
>          authby=secret
>          left=10.8.0.1
>          leftsubnet=10.60.72.72/30
>          right=10.9.0.1
>          rightsubnet=10.167.50.56/32
>          auto=start
>          pfs=no
>          ike=aes-256-sha1-modp1024
>          esp=aes-256-sha1
> 
> In Shorewall I have a pretty standard 2 network card setup:
> 
> eth0 - Local Network
> eth1 - Internet
> 
> I have a couple other IPsec tunnels running on this machine and defined 
> in the zones and tunnels files.nano t
> 
> Can anyone give me some tips about how I go about NAT''ing my
source
> traffic in shorewall for something like this?  I''m thoroughly
confused.
Try this in /etc/shorewall/masq:

eth1:10.167.50.56	192.168.27.0/24	10.60.72.73

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct

I think that did the trick.  Thank you very much!

Brad

On 10/18/2012 5:31 PM, Tom Eastep wrote:
> Try this in /etc/shorewall/masq: eth1:10.167.50.56 192.168.27.0/24 
> 10.60.72.73 -Tom 

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct