Re: [Shorewall-users] client to client communication in an ipsec VPN

Thu, 13 Sep 2007 15:19:55 -0700 

Jesse W. Hathaway wrote:
>> VPN:
>>
>>      ipsec        Internet                      10.10.10.0/24
>>      +-----------------------|Shorewall Server|----|LAN|
>>      |              | 
>>      |              | 
>>    +---+            |ipsec                   
>>    | A |            |                                          |           
>>    +---+          +---+ 
>> 192.168.105.212   | B |192.168.1.101
>>                   +---+
>>
>>
>> Clients A and B can both establish successful
>> nat encapsulated ipsec sessions to the shorewall
>> server. I can successfully receive and transmit
>> between the shorewall server and client A as well
>> as between the shorewall server and client B.
>>
>> What is the best method to allow communication 
>> between Client A and B? I cannot use their 
>> RFC 1918 addresses because I do not have an 
>> IPSEC policy that dictates that the other 
>> client's network should be encrypted.
>>
>> I would prefer to nat the clients with addresses from
>> my local LAN, 10.10.10.0/24, or another subnet. I tried
>> adding this to /etc/shorewall/nat:
>>
>> #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES  LOCAL
>> 10.10.10.10     eth1            192.168.1.101   Yes             Yes
>> 10.10.10.12     eth1            192.168.105.212 Yes             Yes
>>
>> However when I do a tcpdump on the firewall interface I only see
>> DNAT taking place.
>>
>> Is there are recommended method to provide local ips to VPN clients?
> 
> I tried adding this to shorewall/masq, but it did not SNAT the ip of
> the ipsec client, what is the correct way to DNAT and SNAT an ip?
> 
> #INTERFACE  SOURCE          ADDRESS         PROTO   PORT(S) IPSEC
> eth0        192.168.1.101   10.10.10.10
> eth0        192.168.105.212 10.10.10.12

While by far the cleanest solution to this problem is to replace IPSEC with
a sane VPN solution like OpenVPN, you might try the following (I offer
absolutely no guarantees):

Let 10.10.10.10  be the surrogate for 192.168.1.101
Let 10.10.10.11  be the surrogate for 192.168.105.212

Assume that the external interface is $EXT_IF and that the IPSEC zone is
named 'vpn':

/etc/shorewall/masq:

$EXT_IF:192.168.1.101   192.168.105.212    10.10.10.11
$EXT_IF:192.168.105.212 192.168.1.101      10.10.10.10

/etc/shorewall/rules:

DNAT-   vpn:192.168.1.101       net:192.168.105.212 - - - 10.10.10.11
DNAT-   vpn:192.168.105.212     net:192.168.1.101   - - - 10.10.10.10

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ [EMAIL PROTECTED]
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key

Attachment: signature.asc
Description: OpenPGP digital signature

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to