[Shorewall-users] IPsec with 1:1 NAT

Sun, 18 May 2025 23:40:53 -0700 

I am trying to get an 1:1 NAT configured prior to sending the packages into an 
IPsec tunnel, but as far as I can tell the NAT is never applied and the 
packages also never get into the tunnel.

The IPsec tunnel configuration:

conn rz2trz1
  auto=route
  closeaction=restart
  esp=aes256-sha256-ecp384
  ike=aes256-sha256-ecp384
  ikelifetime=60m
  keyexchange=ikev2
  left=192.0.2.1
  leftauth=psk
  leftsubnet=10.192.2.0/24
  lifetime=30m
  right=198.51.100.1
  rightauth=psk
  rightsubnet=10.191.2.0/24
  type=tunnel

The shorewall configuration:

interfaces:
?FORMAT 2
#ZONE       INTERFACE   OPTIONS
extpriv     eth0.1901
inet        eth0.1903
dnstrz1     eth1.1015

zones:
fw          firewall
extpriv          ip
inet             ip
dnstrz1          ip
rz1trz2          ipsec

tunnels:
#TYPE     ZONE  GATEWAY(S)      GATEWAY
#               ZONE(S)
ipsecnat             inet     198.51.100.1

hosts:
#ZONE    HOSTS                       OPTIONS
rz1trz2  eth0.1903:10.192.2.0/24 ipsec

netmap:
#TYPE NET1              INTERFACE       NET2              NET3
SNAT   10.138.53.229/32 eth0.1903       10.191.2.229/32 10.192.2.0/24
DNAT   10.191.2.229/32  eth0.1903       10.138.53.229/32 10.192.2.0/24

policy:
#SOURCE         DEST            POLICY          LOG LEVEL LIMIT:BURST
dnstrz1         rz1trz2         ACCEPT
rz1trz2         dnstrz1         ACCEPT
# THE FOLLOWING POLICY MUST BE LAST
all             all             DROP            $LOG

I try to ping from the node 10.138.53.229 the node on the other side:
10.192.2.229

With "tcpdump -i any -n host 10.192.2.229" on the shorewall/IPsec node I
only see:
20:54:15.564946 eth1  In  IP 10.138.53.229 > 10.192.2.229: ICMP echo
request, id 34685, seq 1, length 64
20:54:15.564947 eth1.1015 In  IP 10.138.53.229 > 10.192.2.229: ICMP echo
request, id 34685, seq 1, length 64

Adding "iptables -t raw -I PREROUTING -d 10.192.2.229 -j TRACE" I can
see the following with "xtables-monitor --trace":
PACKET: 2 53bdbe50 IN=eth1.1015 MACSRC=56:e9:84:3a:23:7e
MACDST=4a:b4:4a:4a:3b:39 MACPROTO=8100 SRC=10.138.53.229
DST=10.192.2.229 LEN=84 TOS=0x0 TTL=64 ID=2926DF
 TRACE: 2 53bdbe50 raw:PREROUTING:rule:0x19:CONTINUE  -4 -t raw -A
PREROUTING -d 10.192.2.229/32 -j TRACE
 TRACE: 2 53bdbe50 raw:PREROUTING:return:
 TRACE: 2 53bdbe50 raw:PREROUTING:policy:ACCEPT
 TRACE: 2 53bdbe50 mangle:PREROUTING:return:
 TRACE: 2 53bdbe50 mangle:PREROUTING:policy:ACCEPT
 TRACE: 2 53bdbe50 nat:PREROUTING:return:
 TRACE: 2 53bdbe50 nat:PREROUTING:policy:ACCEPT
PACKET: 2 53bdbe50 IN=eth1.1015 OUT=eth0.1903 MACSRC=56:e9:84:3a:23:7e
MACDST=4a:b4:4a:4a:3b:39 MACPROTO=8100 SRC=10.138.53.229
DST=10.192.2.229 LEN=84 TOS=0x0 TTL=63 ID=2926DF
 TRACE: 2 53bdbe50 mangle:FORWARD:rule:0x6:CONTINUE  -4 -t mangle -A
FORWARD -j MARK --set-xmark 0x0/0xff
 TRACE: 2 53bdbe50 mangle:FORWARD:return:
 TRACE: 2 53bdbe50 mangle:FORWARD:policy:ACCEPT
PACKET: 2 53bdbe50 IN=eth1.1015 OUT=eth0.1903 MACSRC=56:e9:84:3a:23:7e
MACDST=4a:b4:4a:4a:3b:39 MACPROTO=8100 SRC=10.138.53.229
DST=10.192.2.229 LEN=84 TOS=0x0 TTL=63 ID=2926DF
 TRACE: 2 53bdbe50 filter:FORWARD:rule:0x49:JUMP:dnstrz1_frwd  -4 -t
filter -A FORWARD -i eth1.1015 -m policy --dir in --pol none -j dnstrz1_frwd
 TRACE: 2 53bdbe50 filter:dnstrz1_frwd:rule:0xa8:JUMP:dynamic  -4 -t
filter -A dnstrz1_frwd -m conntrack --ctstate INVALID,NEW,UNTRACKED -j
dynamic
 TRACE: 2 53bdbe50 filter:dynamic:return:
 TRACE: 2 53bdbe50 filter:dnstrz1_frwd:rule:0xab:JUMP:dnstrz1-inet -4
-t filter -A dnstrz1_frwd -o eth0.1903 -m policy --dir out --pol none -j
dnstrz1-inet
 TRACE: 2 53bdbe50 filter:dnstrz1-inet:rule:0x93:ACCEPT  -4 -t filter
-A dnstrz1-inet -p icmp -m icmp --icmp-type 8 -m comment --comment Ping
-j ACCEPT
 TRACE: 2 53bdbe50 mangle:POSTROUTING:return:
 TRACE: 2 53bdbe50 mangle:POSTROUTING:policy:ACCEPT
PACKET: 2 53bdbe50 IN=eth1.1015 OUT=eth0.1903 MACSRC=56:e9:84:3a:23:7e
MACDST=4a:b4:4a:4a:3b:39 MACPROTO=8100 SRC=10.138.53.229
DST=10.192.2.229 LEN=84 TOS=0x0 TTL=63 ID=2926DF
 TRACE: 2 53bdbe50 nat:POSTROUTING:rule:0x7:ACCEPT  -4 -t nat -A
POSTROUTING -s 10.138.53.229/32 -d 10.192.2.0/24 -o eth0.1903 -j NETMAP
--to 10.191.2.229/32

with swanctl --list-sas I can see that no packets are going through the IPsec 
tunnel:
  rz1trz2: #1204, reqid 1, INSTALLED, TUNNEL,
ESP:AES_CBC-256/HMAC_SHA2_256_128
    installed 10s ago, rekeying in 914s, expires in 1790s
    in  c1c3ef60,      0 bytes,     0 packets
    out c3cdf9d0,      0 bytes,     0 packets
    local  10.191.2.0/24
    remote 10.192.2.0/24

I am confused, why I do not see packages with source 10.191.2.229 going out 
eth0.1903 in the tcpdump output and why the trace ends with the 
nat:10.191.2.229:rule line.
Has someone an idea what I am doing wrong or how I can debug the issue further?

Thanks in advance for any help.

​



_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users






















					Reply via email to