I've done something similar, only I just used a network specifically for roadwarriors. My rules for this were something like:
/sbin/iptables -t mangle -A PREROUTING -i ipsec0 -j MARK --set-mark 1 /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to 10.100.16.1-10.100.16.254 Although the SAME target would probably be preferable to SNAT. This has a few advantages. One, you don't *have* to have this box as your gateway, you just put a route to, in my case 10.100.16.0/24, through your rw vpn box. One thing of note if you have the normal sort of roadwarriors (i.e., they have variable ip addresses). Because of what most consider a flaw in the IPSec specification, if you use pre-shared keys, you will have *one* PSK for *all* roadwarriors. For this reason, it's often preferable to use RSA keys or certificates. And, to complicate matters even more, I'm not sure if the mandrake rpm's have x.509 certificate support compiled in. Of course you can do it however... but I did want to save you from the frustration of trying to figure out why multiple PSK's aren't working. -Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]]On Behalf Of Vasiliy Boulytchev > Sent: Saturday, March 16, 2002 5:28 PM > To: Frank Fiene > Cc: [EMAIL PROTECTED] > Subject: Re: modules > > > Frank, and everyone > > I've just reinstalled Mandrake 8.1 (first time I ever dealt with > mandrake) > Reason I installed Mandrake is because it comes with > Freeswan, that way > I dont need to recompile the kernel (like in RedHat) to get ipsec up. > 8.1 Mandrake comes with 2.4.8 kernel. > Here are my plans: > 1.) have this box as a gateway firewall > 2.) have IP Masq working properly > 3.) have FreeS/WAN VPN working in RoadWarrior mode and authenticate > via shared Secrets. > 4.) Have RoadWarrior clients come in via IP Masq, no need to serve > IPs. > > So here's my steps: > 1.) Have this thing as a gateway first. > 2.) turn ipsec on > 3.) configure ipsec.conf and ipsec.secrets > 4.) masq everything from ipsec0 to eth1. > > If anyone has already played with this, lets hook up. > Also, if anyone has anything to add to this plan, please let > me know :) > > Also, I've never really dealt with iptables. I'm RTFMing right now. > Any awesome links? Any table examples? > > Thanks list, you're great, > > Vasiliy Boulytchev > Colorado Information Technologies Inc. > ----- Original Message ----- > From: "Frank Fiene" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Saturday, March 16, 2002 2:38 PM > Subject: Re: modules > > > > On Saturday, 16. March 2002 21:17, Vasiliy Boulytchev wrote: > > > Ladies and Gents, > > > When I installed iptables from source, i can't find > > > ipt_MASQUERADE.o, ipt_state.o, ipt_REJECT.o, ip_nat_ftp.o and so on. > > > Did the names change? > > > I search for them in such manner: > > > > > > find /usr/src -name ipt_state.o > > > > > > > > > I did uninstall the RPM before installing from source. > > > > > > > You have made a kernel configuration with iptables? > > You have compiled iptables user space or what else? > > > > Very difficult to see what you have done! > > > > ff > > -- > > SYNTAGS GmbH, Maerkische Str. 237, D-44141 Dortmund, Germany > > Security, Cryptography, Networks, Software Development > > http://www.syntags.de mailto:[EMAIL PROTECTED] > > > > >
