I have a special situation with forwarding ipsec packets to an internal networkcard. Let me explain the situation. The firewall has three networkcards. eth0 = internal lan (192.168.x.x) eth1 = external internet (213.x.x.x) eth2 = internal lan tbv special ipsec box (10.x.x.x external and 192.168.x.x internal) /---- eth0 --------------------\ --- eth1 -----/ \----- 192.168.x.x \ / \---- eth2 ----- ipsec box ----/ The black box provided by an external supplier is setup to build a vpn with them. I cannot change the config. The box is preconfigured. The subnet that has to be routed to the external supplier is 172.16.2.x The firewall had a route that this subnet is routed to the ip on the internal eth0 interface ip. The irony is that I had this working but wanted to tighten the security and didn't save the working rule set. I want that packets that arrive on eth1 from the external supplier to be forwarded to the eth2 interface. This works already for udp port 500. I get the following to verify this: "isakmp: phase 2/others R oakley-quick[E]: [encrypted hash] (DF)" IPsec packets that come from eth2 are routed to the external eth1 interface. Only they have the 10.x.x.x ip as their source ip and I want it to be the external ip or else the routing goes wrong. The firewall itself also runs IPsec for a VPN. So filtering from which ip that IPsec packets are comming and have to be forwarded is a must. I'm using only ESP and no AH btw. I tried several pass-through examples from various sites, but these don't seems to work. It comes down to: - Forward IPsec packets to eth2 - Route packets from eth2 out to eth1 with correct source ip. Hope someone got an answer... Patrick --
Attachment:
signature.asc
Description: This is a digitally signed message part