Re: Route traffic between two IPSEC tunnels

Thu, 21 Jan 2010 13:07:51 -0800 

Thank you Stuart,

I am aware of this feature, but that way I can only NAT from one network(the
one in parenthesis) trough tunnel:
ike esp from 10.10.10.1 (192.168.1.0/24) to 192.168.2.0/24 \
                   peer 10.10.20.1
I already have that configured for the tunnel between headquarters and a
customer,
Packets coming from remote office aren't in any of that networks.

I found one solution, without the above. I add a static route to customers lan
gw 127.0.0.1, and than I do nat on the lo0 from HQ's LAN and RemoteOffice LAN
to Customers LAN, and it works well, you can do nat from any local or remote
network through a tunnel.

But, rdr doesn't work. Packets come, get redirected, get replied to, but then
they are not passed back because they hit SAD matching first.

Too bad.


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Stuart Henderson
Sent: Sunday, January 17, 2010 2:11 PM
To: [email protected]
Subject: Re: Route traffic between two IPSEC tunnels

Take a look at OUTGOING NETWORK ADDRESS TRANSLATION in ipsec.conf(5).


On 2010-01-16, Mihajlo Manojlov <[email protected]> wrote:
> Hello everybody,
>
> is there any way to route traffic between two ipsec tunnels, like in this
> example:
>
> Lan1---|Router1|--Wan1---|INTERNET|---Wan2---|Router2|---Lan2
>                                                     |
>                                                  Wan3
>                                                     |
>                                               |Router3|
>                                                     |
>                                                   Lan3
>
> Router1 is at company's headquarters, Router2 is at remote office and
Router3
> is a customer.
> Headquarters's Lan1 is connected to remote office's Lan2 and customer's
Lan3
> over an IPSec tunnel.
> Lan1 <--IPSec--> Lan2
> Lan1 <--IPSec--> Lan3
>
> I would like to allow communication between remote offfice's Lan2 to
> customer's Lan3 over the Router1.
> Lan2 <--IPSec - Router1 - IPSec --> Lan3
>
> In Linux, I would just add one more tunnel from remote office's Wan2 to
> headquarters's Wan1 with Lan2 and customers Lan3 defined as SA's.
> Then I would tell iptables to nat everything from Lan2 to Lan3 --> Lan1 IP.
> Request would come from Lan2 to Lan3 over second defined tunnel between
> Router2 and Router1 and there it would be NAT-ed to Lan1 IP and sent
forward
> to Lan3 over the existing tunnel between Router1 and Router3.
>
> Can I do that with pf and isakmpd ?
>
> Thank you very much

Reply via email to