> VPN: > > ipsec Internet 10.10.10.0/24 > +-----------------------|Shorewall Server|----|LAN| > | | > | | > +---+ |ipsec > | A | | | > +---+ +---+ > 192.168.105.212 | B |192.168.1.101 > +---+ > > > Clients A and B can both establish successful > nat encapsulated ipsec sessions to the shorewall > server. I can successfully receive and transmit > between the shorewall server and client A as well > as between the shorewall server and client B. > > What is the best method to allow communication > between Client A and B? I cannot use their > RFC 1918 addresses because I do not have an > IPSEC policy that dictates that the other > client's network should be encrypted. > > I would prefer to nat the clients with addresses from > my local LAN, 10.10.10.0/24, or another subnet. I tried > adding this to /etc/shorewall/nat: > > #EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL > 10.10.10.10 eth1 192.168.1.101 Yes Yes > 10.10.10.12 eth1 192.168.105.212 Yes Yes > > However when I do a tcpdump on the firewall interface I only see > DNAT taking place. > > Is there are recommended method to provide local ips to VPN clients?
I tried adding this to shorewall/masq, but it did not SNAT the ip of the ipsec client, what is the correct way to DNAT and SNAT an ip? #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC eth0 192.168.1.101 10.10.10.10 eth0 192.168.105.212 10.10.10.12 thanks, Jesse ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
