Tom Eastep wrote: > Jan van der Vyver wrote: > >> I am trying to ssh from a machine (192.168.10.198) behind machine A >> (192.168.10.200) to 192.168.20.33. >> >> Between machine A and machine B there is a ipsec vpn. >> Config for this vpn: >> >> conn in2one-to-adept >> type=tunnel >> connaddrfamily=ipv4 >> left=196.44.33.190 >> leftnexthop=%direct >> leftsubnet=192.168.20.0/24 >> [EMAIL PROTECTED] >> leftrsasigkey=bla >> right=196.44.33.114 >> rightnexthop=%direct >> rightsubnet=192.168.10.0/24 >> [EMAIL PROTECTED] >> rightrsasigkey=bla >> auto=start >> >> Then machine B must rewrite any packets (on all ports) to 192.168.20.33 ,the >> destination to 192.168.241.65 and the source to 196.44.33.118 >> >> Between machine B and C is a ipsec vpn: >> Config: >> conn obw >> type=tunnel >> connaddrfamily=ipv4 >> left=196.44.33.190 >> leftnexthop=%direct >> leftsubnet=196.44.33.118/32 >> right=168.167.251.89 >> rightnexthop=%direct >> rightsubnet=192.168.241.65/32 >> rightid=193.219.215.3 >> authby=secret >> esp=3des-md5-96 >> #esp=3des-md5 >> keyexchange=ike >> pfs=no >> auto=start >> >> If I ssh from from machine b with the following: >> >> ssh -b 196.44.33.118 [EMAIL PROTECTED] >> >> It works. >> >> If I ssh from 192.168.10.198 then the following is seen on machine B's >> syslog >> >>> Shorewall:net_dnat:DNAT:IN=eth0 OUT= >>> MAC=00:13:72:3f:74:20:00:12:00:6c:ea:d0:08:00 SRC=192.168.10.198 >>> DST=192.168.20.33 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=42453 DF >>> PROTO=TCP >>> SPT=60171 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 9 20:58:16 neon >>> kernel: [43844718.340000] Shorewall:net2all:DROP:IN=eth0 OUT=eth0 >>> SRC=192.168.10.198 >>> DST=192.168.241.65 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=42453 DF >>> PROTO=TCP >>> SPT=60171 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 >> Hope this make it more clear. >> > > Ok. > > You do not have IPSEC policy match enabled (although your kernel is new enough > to support it). You must enable it if you want this to work; then follow the > instructions in http://www.shorewall.net/IPSEC-2.6.html. > > Without policy match, SNAT rules are not applied until after the traffic is > encrypted and encapsulated; by that time, it is too late to change the > original > SOURCE IP address.
I got a bit ahead of myself -- I'm correct that to do this right, you need policy match. But you should be able to get it to work if we can determine why your ruleset drops most traffic to/from 192.168.241.65. Please send me a tar-ball of your /etc/shorewall/ directory. Thanks, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
