We need to connect to a vendor's network over VPN however they are
telling us we need to NAT all the traffic going to their network. They
also want publicly addressable IPs as the NATed address (go figure). I
have read extensively and looked at manuals but can't quite get it working
Set up is as follows
1.1.1.1 -> My network VPN endpoint
1.1.1.100 -> My NAT address (I took it off the $ext_if)
2.2.2.1 -> Vendor Network VPN endpoint
2.2.2.100 -> Vendor NAT address
Vendor is running a TCP service on 2.2.2.100:5000 that I am trying to
access from my network.
I have set up a VPN tunnel which seems to be in place e.g. doing netstat
-nr shows this
Encap:
Source Port Destination Port Proto
SA(Address/Proto/Type/Direction)
2.2.2.100/32 0 1.1.1.100/32 0 0 2.2.2.1/esp/use/in
1.1.1.100/32 0 2.2.2.100/32 0 0
2.2.2.1/esp/require/out
Then per instructions in following document I did
http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html
ifconfig lo1 1.1.1.100/32
route add 2.2.2.100/32 1.1.1.100
If I do that I can ping Vendor NAT address from the firewall itself but
telnetting to port 2.2.2.100:5000 never connects.
Then I added
nat on lo1 from 10.0.8.0/24 to 2.2.2.100 -> 1.1.1.100
If I then try to ping 2.2.2.100 from e.g. 10.0.8.101 I get
From 10.0.8.254 icmp_seq=1 Time to live exceeded
If I try to telnet to 2.2.2.100:5000 I get
# telnet 2.2.2.100 5000
Trying 2.2.2.100...
telnet: connect to address 2.2.2.100: No route to host
telnet: Unable to connect to remote host: No route to host
If I try to sniff on lo1 I get
> tcpdump -vvv -i lo1
tcpdump: listening on lo1, link-type LOOP
13:14:40.279954 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok]
4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184
0,nop,wscale 7> (DF) [tos 0x10] (ttl 63, id 3738, len 60)
13:14:40.279982 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok]
4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184
0,nop,wscale 7> (DF) [tos 0x10] (ttl 62, id 21751, len 60)
13:14:40.279993 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok]
4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184
0,nop,wscale 7> (DF) [tos 0x10] (ttl 61, id 29876, len 60)
I even tried assigning the 1.1.1.100 enc0 interface which enables me to
connect to 2.2.2.100:5000 from the firewall but nat over enc0 doesn't work.
I would appreciate any help.
Thanks,
Vladimir