Discussion:
[Shorewall-users] Source Nat and VPN Tunnels
Mike Jaquays
2007-12-13 21:35:14 UTC
Permalink
All,

I've got an ipsec VPN server running on Debian etch with shorewall
3.4.4. I've got a VPN tunnel requirement to source nat all traffic from
my local net to a single ip BEFORE it gets into the VPN tunnel. I've
seen a few discussions about this, but am still unable to make it work.
The remote side still sees my internal network when attempting to
establish the tunnel. Here are the configs:


1.1.1.1 = Ip of remote VPN peer
2.2.2.0/24= Remote Internal Network
3.3.3.0/24= My Internal Network
4.4.4.4= Ip to Source Nat as to the remote net


Hosts File
vpn eth0:1.1.1.1,2.2.2.0/24 ipsec

Tunnels File
ipsec:noah net 1.1.1.1 vpn

Masq file
eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp


Any help you all could provide would be much appreciated. Let me know
if any further explanation is required.
--
-Mike
Tom Eastep
2007-12-13 21:41:14 UTC
Permalink
Post by Mike Jaquays
All,
I've got an ipsec VPN server running on Debian etch with shorewall
3.4.4. I've got a VPN tunnel requirement to source nat all traffic from
my local net to a single ip BEFORE it gets into the VPN tunnel. I've
seen a few discussions about this, but am still unable to make it work.
The remote side still sees my internal network when attempting to
1.1.1.1 = Ip of remote VPN peer
2.2.2.0/24= Remote Internal Network
3.3.3.0/24= My Internal Network
4.4.4.4= Ip to Source Nat as to the remote net
Hosts File
vpn eth0:1.1.1.1,2.2.2.0/24 ipsec
Tunnels File
ipsec:noah net 1.1.1.1 vpn
Masq file
eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp
Any help you all could provide would be much appreciated. Let me know
if any further explanation is required.
What security policies do you have on each end?

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mike Jaquays
2007-12-13 21:52:53 UTC
Permalink
I can tell you what I have on my side, but I'd be guessing as to what the remote side has.

5.5.5.5 = My vpn server pub ip


spdadd 2.2.2.0/24 3.3.3.0/24 any -P in ipsec
esp/tunnel/1.1.1.1-5.5.5.5/require;

spdadd 3.3.3.0/24 2.2.2.0/24 any -P out ipsec
esp/tunnel/5.5.5.5-1.1.1.1/require;

spdadd 2.2.2.0/24 4.4.4.4/32 any -P in ipsec
esp/tunnel/1.1.1.1-5.5.5.5/require;

spdadd 4.4.4.4/32 2.2.2.0/24 any -P out ipsec
esp/tunnel/5.5.5.5-1.1.1.1/require;


----- Original Message -----
From: "Tom Eastep" <***@shorewall.net>
To: "Shorewall Users" <shorewall-***@lists.sourceforge.net>
Sent: Thursday, December 13, 2007 3:41:14 PM (GMT-0600) America/Chicago
Subject: Re: [Shorewall-users] Source Nat and VPN Tunnels
Post by Mike Jaquays
All,
I've got an ipsec VPN server running on Debian etch with shorewall
3.4.4. I've got a VPN tunnel requirement to source nat all traffic from
my local net to a single ip BEFORE it gets into the VPN tunnel. I've
seen a few discussions about this, but am still unable to make it work.
The remote side still sees my internal network when attempting to
1.1.1.1 = Ip of remote VPN peer
2.2.2.0/24= Remote Internal Network
3.3.3.0/24= My Internal Network
4.4.4.4= Ip to Source Nat as to the remote net
Hosts File
vpn eth0:1.1.1.1,2.2.2.0/24 ipsec
Tunnels File
ipsec:noah net 1.1.1.1 vpn
Masq file
eth0:2.2.2.0/24 3.3.3.0/24 4.4.4.4 - - mode=tunnel,proto=esp
Any help you all could provide would be much appreciated. Let me know
if any further explanation is required.
What security policies do you have on each end?

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2007-12-13 21:55:24 UTC
Permalink
Post by Mike Jaquays
I can tell you what I have on my side, but I'd be guessing as to what the remote side has.
Er -- so long as you have 'require' on all of yours, then the other end's
policies must match yours.

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mike Jaquays
2007-12-13 22:07:29 UTC
Permalink
Ok, but that wouldn't cause issues with the source NAT would it?

-Mike
Post by Tom Eastep
Post by Mike Jaquays
I can tell you what I have on my side, but I'd be guessing as to what the remote side has.
Er -- so long as you have 'require' on all of yours, then the other end's
policies must match yours.
-Tom
------------------------------------------------------------------------
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2007-12-13 22:14:27 UTC
Permalink
Post by Mike Jaquays
Ok, but that wouldn't cause issues with the source NAT would it?
I'm trying to understand why you have this silly source NAT requirement in
the first place.

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mike Jaquays
2007-12-13 22:22:09 UTC
Permalink
The remote side admin has requested we source nat all of our local
network traffic to avoid network conflicts and such. Trust me, if it
weren't a requirement from our remote partner I wouldn't even bother.

-Mike
Post by Tom Eastep
Post by Mike Jaquays
Ok, but that wouldn't cause issues with the source NAT would it?
I'm trying to understand why you have this silly source NAT requirement in
the first place.
-Tom
------------------------------------------------------------------------
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Tom Eastep
2007-12-13 22:26:11 UTC
Permalink
Post by Mike Jaquays
The remote side admin has requested we source nat all of our local
network traffic to avoid network conflicts and such. Trust me, if it
weren't a requirement from our remote partner I wouldn't even bother.
Then I would:

a) Delete the 2.2.2.0/24<->3.3.3.0/24 security policies.
b) Remove the IPSEC 'OPTIONS' from your masq rule.

-Tom
--
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ ***@shorewall.net
PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Mike Jaquays
2007-12-13 22:28:00 UTC
Permalink
I'll give it a shot. Thanks!

-Mike
Post by Tom Eastep
Post by Mike Jaquays
The remote side admin has requested we source nat all of our local
network traffic to avoid network conflicts and such. Trust me, if it
weren't a requirement from our remote partner I wouldn't even bother.
a) Delete the 2.2.2.0/24<->3.3.3.0/24 security policies.
b) Remove the IPSEC 'OPTIONS' from your masq rule.
-Tom
------------------------------------------------------------------------
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services
for just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
------------------------------------------------------------------------
_______________________________________________
Shorewall-users mailing list
https://lists.sourceforge.net/lists/listinfo/shorewall-users
Loading...