I have a special situation with forwarding ipsec packets to an internal
networkcard.
Let me explain the situation.
The firewall has three networkcards.
eth0 = internal lan (192.168.x.x)
eth1 = external internet (213.x.x.x)
eth2 = internal lan tbv special ipsec box (10.x.x.x external and
192.168.x.x internal)
/---- eth0 --------------------\
--- eth1 -----/ \----- 192.168.x.x
\ /
\---- eth2 ----- ipsec box ----/
The black box provided by an external supplier is setup to build a vpn
with them. I cannot change the config. The box is preconfigured. The
subnet that has to be routed to the external supplier is 172.16.2.x
The firewall had a route that this subnet is routed to the ip on the
internal eth0 interface ip.
The irony is that I had this working but wanted to tighten the security
and didn't save the working rule set.
I want that packets that arrive on eth1 from the external supplier to be
forwarded to the eth2 interface. This works already for udp port 500. I
get the following to verify this: "isakmp: phase 2/others R
oakley-quick[E]: [encrypted hash] (DF)"
IPsec packets that come from eth2 are routed to the external eth1
interface. Only they have the 10.x.x.x ip as their source ip and I want
it to be the external ip or else the routing goes wrong.
The firewall itself also runs IPsec for a VPN. So filtering from which
ip that IPsec packets are comming and have to be forwarded is a must.
I'm using only ESP and no AH btw.
I tried several pass-through examples from various sites, but these
don't seems to work.
It comes down to:
- Forward IPsec packets to eth2
- Route packets from eth2 out to eth1 with correct source ip.
Hope someone got an answer...
Patrick
--
Attachment:
signature.asc
Description: This is a digitally signed message part
