Re: [Shorewall-users] client to client communication in an ipsec VPN

Thu, 13 Sep 2007 14:40:19 -0700 

Tom Eastep wrote:
> Jesse W. Hathaway wrote:
>>> VPN:
>>>
>>>      ipsec        Internet                      10.10.10.0/24
>>>      +-----------------------|Shorewall Server|----|LAN|
>>>      |              | 
>>>      |              | 
>>>    +---+            |ipsec                   
>>>    | A |            |                                          |           
>>>    +---+          +---+ 
>>> 192.168.105.212   | B |192.168.1.101
>>>                   +---+
>>>
>>>
>>> Clients A and B can both establish successful
>>> nat encapsulated ipsec sessions to the shorewall
>>> server. I can successfully receive and transmit
>>> between the shorewall server and client A as well
>>> as between the shorewall server and client B.
>>>
>>> What is the best method to allow communication 
>>> between Client A and B? I cannot use their 
>>> RFC 1918 addresses because I do not have an 
>>> IPSEC policy that dictates that the other 
>>> client's network should be encrypted.
>>>
>>> I would prefer to nat the clients with addresses from
>>> my local LAN, 10.10.10.0/24, or another subnet. I tried
>>> adding this to /etc/shorewall/nat:
>>>
>>> #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES  LOCAL
>>> 10.10.10.10     eth1            192.168.1.101   Yes             Yes
>>> 10.10.10.12     eth1            192.168.105.212 Yes             Yes
>>>
>>> However when I do a tcpdump on the firewall interface I only see
>>> DNAT taking place.
>>>
>>> Is there are recommended method to provide local ips to VPN clients?
>> I tried adding this to shorewall/masq, but it did not SNAT the ip of
>> the ipsec client, what is the correct way to DNAT and SNAT an ip?
>>
>> #INTERFACE  SOURCE          ADDRESS         PROTO   PORT(S) IPSEC
>> eth0        192.168.1.101   10.10.10.10
>> eth0        192.168.105.212 10.10.10.12
>>
> 
> You need 'yes' in the IPSEC column if you want that to work.

Please disregard my last post. I realized after I sent it that I don't
understand what you are trying to do with these rules.

-Tom

Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to