[Shorewall-users] natting before ipsec encryption

Brian J. Murrell Wed, 14 Jul 2010 09:19:11 -0700

Hi all,q

I am using shorewall 4.4.6 on an ipsec road warrior.  I am trying to
figure out how to configure so that traffic from a subnet of the road
warrior is SNATted before being encrypted and routed into the ipsec
tunnel.  In essence I want to masquerade this subnet into the VPN.


The VPN for this road warrior is the default route, so all traffic from
this road warrior should be directed into the ipsec tunnel.  The ipsec
tunnelling is managed by another piece of software so I have zero
ability to reconfigure it and I have zero ability to change the
configuration of the remote end or the policy.

Here's some of what I have tried so far:

----- interfaces -----
#ZONE   INTERFACE       BROADCAST       OPTIONS
net     eth0            -               dhcp
kvm     virbr0          -               dhcp

----- policy -----
#SOURCE DEST    POLICY          LOG     LIMIT:          CONNLIMIT:
fw      net     ACCEPT
net     fw      DROP
fw      kvm     ACCEPT
net     kvm     DROP
fw      vpn     ACCEPT
kvm     vpn     ACCEPT
all     vpn     DROP
vpn     fw      ACCEPT
vpn     all     DROP
kvm     all     ACCEPT

----- zones -----
#ZONE   TYPE            OPTIONS         IN                      OUT
#                                       OPTIONS                 OPTIONS
fw      firewall
net     ipv4
kvm     ipv4
vpn     ipsec

----- hosts -----
#ZONE   HOST(S)                                 OPTIONS
swan    eth0:0.0.0.0/0

----- masq -----
#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   
MARK    USER/
virbr0                  -               199.10.8.5      -       -       Yes

where virbr0 is the interface of the subnet I want to masq to the road
warriors assigned IP on the VPN (199.10.8.5).

Looking at the iptables rules, it does not seem to be triggering the
SNAT though:

Chain POSTROUTING (policy ACCEPT 44 packets, 3151 bytes)
 pkts bytes target     prot opt in     out     source               destination 
        
    1   328 virbr0_masq  all  --  *      virbr0  0.0.0.0/0            0.0.0.0/0 
          

Chain virbr0_masq (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
    0     0 SNAT       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        policy match dir out pol ipsec to:199.10.8.5 

As you can see there are no matches in the virbr0_masq chain.

Ideas?

b.

signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

[Shorewall-users] natting before ipsec encryption

Reply via email to