Re: Need help with NAT + IPSEC

Tue, 31 Oct 2006 16:37:05 -0800 

Johan Hedin wrote:

Hi
I need help with our IPSEC setup. We have an internal net 192.168.1.0/24. We have IPSEC to a customer on net 10.92.0.0/16. However, they already used the 192.168.1.0 net, so the IPSEC tunnel is to 10.84.230.0/28. I have set up 10.84.230.1 on the internal network interface (hme3), and added a manual route to 10.92.0.0/16 via 10.84.230.1. All works perfect on the firewall. On the internal net however, I can not reach the 10.92 net. I have tried to nat 192.168.1.0 via 10.84.230.1. NAT works, but the packets are thrown back out on hme3 with 10.84.230.1 as source address and to via enc0 as I want. How would one solve this? 

TIA

Johan Hedin
CTO eCare AB

[demime 1.01d removed an attachment of type application/x-pkcs7-signature which 
had a name of smime.p7s]



Hi
this has been discussed here before ....
From the man page
-----------------------------------
NAT can also be applied to enc# interfaces, but special care should be
taken because of the interactions between NAT and the IPsec flow matching, especially on the packet output path. Inside the TCP/IP stack,packets go through the following stages: 

           UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
           UL/R <-------- PF/NAT(enc0) <- IPsec <- PF/NAT(IF) <- IF

With IF being the real interface and UL/R the Upper Layer or Routing
code.  The [X] stage on the output path represents the point where the
packet is matched against the IPsec flow database (SPD) to determine if
and how the packet has to be IPsec-processed.  If, at this point, it is
determined that the packet should be IPsec-processed, it is processed by
the PF/NAT code.  Unless PF drops the packet, it will then be IPsec-pro-
cessed, even if the packet has been modified by NAT.
-----------------------------------------


What I do for this is I have my vpn server in a dmz


                EVIL
               INTERNET
     /                     \
    /                       \   
em0                         em0 
|                            |
---\                      /----\
fw  | - em1  -DMZ-  - em1 | vpn |
---/                      \----/
|
em2

Internal networks


Outbound traffic to your customer gets nat-ed on em1 of fw

Inbound traffic from your customer gets nated on em1 of vpn

This may or may not be 'correct' but it works here, and it is pretty simple.

Reply via email to