Hi Everyone,
I'm facing a problem which I hope someone will might help me here.
I'm trying to build a VPN site 2 site with my current shorewall + openswan
configuration with a overlapping IP on both ends.
Here is my Topology.
Site A:
eth0 - 172.16.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - X.Y.Z.M - Public IP address
Site B
eth0 - 192.168.0.0/24 - Internal LAN
eth1 - 10.0.0.0/24 - LAB LAN
eth2 - N.O.L.P - Public IP address
I want to setup a VPN from the Internal LAN of Site B (192.168.0.0/24) to
the LAB LAN of Site A (10.0.0.0/24 <http://172.16.0.0/24>)
The problem is that Site B already have in it's local routing table setup
to route traffic for the network ID 10.0.0.0/24 via the ETH1 interface. So
traffic can't be routed to the remote site A, without (1) disabling this
network or (2) do some NAT magic.
Since option 1 is not really an option, I made sure to configure my IPsec
tunnel to use the a virtual NETID of 172.31.0.0/24 as the subnet of site A
which I want to share on with site B.
Basically this mean that when machine from site B (with an IP of
192.168.0.X) want to talk with machine from site A (with an IP address
172.16.0.X) it basically send the packets to 172.31.0.X.
Once the FW on site A get's the packet for the 172.31.0.X , I use DNAT to
route it back to the packet to 10.0.0.X.
This however doesn't seems to work, which is why I'm asking the community
help.
The first question I have in mind is if have to create a fake virtual
Interface (like a TAP Device) which will be configure with the IP address
of 172.31.0.1 in order this to work?
(OpenSwan with netkey do not create a virtual interface such as when you
use the klips or mast module)
When creating a TAP device or an alias device (like eth0:1) I can easily
ping from one site to the other, but then I will have to configure and
change setting in the interface, zone, policy and rules files which is
something I want to avoid (I have multi ISP in my configuration with mutli
VPNs site to site, including a road vpn client so my setup is a little bit
more complicated).
I have look into the netmap, masq and nat files under shorewall, but as far
as I can tell nothing works.
Doing more debugging it seems like the IPSEC device is not really applying
my settings, as when I do traceroute to a machine in site A with IP address
of 172.16.0.X to a machine is Site B with an IP of 192.168.0.X i would
expect to the see the next hope after my firewall (site A) is to go to the
next firewall IP (site B) ending at the dest machine. However the route
goes to the public internet which explain that the IPSEC doesn't consider
this packet as a packet which got out from the NETID of 172.31.0.X even if
I do SNAT.
Is it somehow connect to a pre-routing issues?
I know there are some doc on how to setup IPSEC with shorewall, but in most
cases I do it without shorewall involved (expect of configuring the roles
to allow traffic from both network and disabling NAT within them)
Any Ideas?
Thank You
Sassy
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
