I have a non-working scenario that I have not seen discussed anywhere in
the archives:
private LAN public Internet
------------ ----------------------------------------------------
| | | <--------- IPSEC VPN ---------> | |
client gateway VPN server web host
172.16.1.a x.x.x.x (dynamic PPPoE) 123.45.67.89 34.56.78.9
172.16.1.b 172.16.0.a
Using the native KAME IPSEC in kernel 2.6, I have a SAD setting up an ESP
tunnel between the public interfaces of the gateway and the VPN server, I
have an SPD routing traffic between 172.16.1.0/24 and the web host
(34.56.78.9) over this tunnel, and I have an SNAT entry in the VPN server
NAT table mapping 172.16.1.0/24 source addresses to 123.45.67.89.
The ESP tunnel works fine. However, when packets show up at the VPN server
from 172.16.1.a, they go back out over the public interface to 34.56.78.9
without any SNAT mangling of the source address (and, because the source
is an unroutable RFC1918 address, they're never heard from again).
The requirement is two-fold: to ensure all traffic between the gateway and
VPN server is encrypted, and to make all traffic between client and web
host appear as if it originated at the VPN server.
Is there any way to satisfy these requirements with the existing Linux
kernel?
-Michael Robinson
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
