NATing traffic going into the ipsec tunnel

Wed, 29 Oct 2008 11:01:23 -0700

We need to connect to a vendor's network over VPN however they are telling us we need to NAT all the traffic going to their network. They also want publicly addressable IPs as the NATed address (go figure). I have read extensively and looked at manuals but can't quite get it working 

Set up is as follows

1.1.1.1 -> My network VPN endpoint
1.1.1.100 -> My NAT address (I took it off the $ext_if)

2.2.2.1 -> Vendor Network VPN endpoint
2.2.2.100 -> Vendor NAT address
Vendor is running a TCP service on 2.2.2.100:5000 that I am trying to access from my network.
I have set up a VPN tunnel which seems to be in place e.g. doing netstat -nr shows this 

Encap:
Source Port Destination Port Proto SA(Address/Proto/Type/Direction) 
2.2.2.100/32       0     1.1.1.100/32    0     0     2.2.2.1/esp/use/in
1.1.1.100/32 0 2.2.2.100/32 0 0 2.2.2.1/esp/require/out 

Then per instructions in following document I did

http://fixunix.com/bsd/87865-nat-ipsec-openbsd-pf-isakmpd.html

ifconfig lo1 1.1.1.100/32
route add 2.2.2.100/32 1.1.1.100
If I do that I can ping Vendor NAT address from the firewall itself but telnetting to port 2.2.2.100:5000 never connects. 

Then I added

nat on lo1 from 10.0.8.0/24 to 2.2.2.100 -> 1.1.1.100

If I then try to ping 2.2.2.100 from e.g. 10.0.8.101 I get

From 10.0.8.254 icmp_seq=1 Time to live exceeded

If I try to telnet to 2.2.2.100:5000 I get

# telnet 2.2.2.100 5000
Trying 2.2.2.100...
telnet: connect to address 2.2.2.100: No route to host
telnet: Unable to connect to remote host: No route to host

If I try to sniff on lo1 I get

> tcpdump -vvv -i lo1
tcpdump: listening on lo1, link-type LOOP
13:14:40.279954 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7> (DF) [tos 0x10] (ttl 63, id 3738, len 60) 13:14:40.279982 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7> (DF) [tos 0x10] (ttl 62, id 21751, len 60) 13:14:40.279993 10.0.8.101.55173 > 2.2.2.100.3128: S [tcp sum ok] 4262188680:4262188680(0) win 5840 <mss 1460,sackOK,timestamp 883518184 0,nop,wscale 7> (DF) [tos 0x10] (ttl 61, id 29876, len 60)
I even tried assigning the 1.1.1.100 enc0 interface which enables me to connect to 2.2.2.100:5000 from the firewall but nat over enc0 doesn't work. 

I would appreciate any help.

Thanks,


Vladimir

Reply via email to