Re: [Shorewall-users] natting before ipsec encryption

Wed, 14 Jul 2010 20:34:17 -0700 

On Wed, 2010-07-14 at 20:06 -0700, Tom Eastep wrote: 
> > 
> > #INTERFACE          SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   
> > MARK
> > eth0                        192.168.122.0/24 129.150.48.250
> 
> I specifically said MASQUERADE, not SNAT.

Yes, I know.  But MASQUERADE results in the source address being
re-written to eth0's interface address (10.75.22.151).  This will result
in traffic not being routed into the tunnel and instead resulting in the
ipsec gateway machine sending back EHOSTUNREACH ICMP errors such as:

23:22:36.144100 IP 10.75.22.151 > 192.168.122.32: ICMP host 148.8.2.1 
unreachable, length 72

That's because there is no route to 148.8.2.1 for packets with the
source address of eth0 (10.75.22.151).  The only route out is through
the ipsec tunnel and the security policy which allows that to happen
requires that the source address be 129.150.48.250, which is defined on
eth0:1:

eth0      Link encap:Ethernet  HWaddr 00:51:a7:71:21:f9  
          inet addr:10.75.22.151  Bcast:10.75.22.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          RX packets:43367178 errors:0 dropped:0 overruns:0 frame:0
          TX packets:84181911 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4016705508 (4.0 GB)  TX bytes:2938484768 (2.9 GB)
          Memory:ffce0000-ffd00000 

eth0:1    Link encap:Ethernet  HWaddr 00:51:a7:71:21:f9  
          inet addr:129.150.48.250  Bcast:129.150.255.255  Mask:255.255.255.255
          UP BROADCAST RUNNING MULTICAST  MTU:1400  Metric:1
          Memory:ffce0000-ffd00000 

When the gateway itself routes through the tunnel, it uses the eth0:1 as
it source address, presumably via the default route specification:

default via 10.75.22.151 dev eth0  src 129.150.48.250 

b.

Attachment: signature.asc
Description: This is a digitally signed message part

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to