IPsec forwarding problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have a special situation with forwarding ipsec packets to an internal
networkcard.

Let me explain the situation.
The firewall has three networkcards.
eth0 = internal lan (192.168.x.x)
eth1 = external internet (213.x.x.x)
eth2 = internal lan tbv special ipsec box (10.x.x.x external and
192.168.x.x internal)

               /---- eth0 --------------------\
--- eth1 -----/                                \----- 192.168.x.x
              \                                /
               \---- eth2 ----- ipsec box ----/

The black box provided by an external supplier is setup to build a vpn
with them. I cannot change the config. The box is preconfigured. The
subnet that has to be routed to the external supplier is 172.16.2.x

The firewall had a route that this subnet is routed to the ip on the
internal eth0 interface ip.

The irony is that I had this working but wanted to tighten the security
and didn't save the working rule set.

I want that packets that arrive on eth1 from the external supplier to be
forwarded to the eth2 interface. This works already for udp port 500. I
get the following to verify this: "isakmp: phase 2/others R
oakley-quick[E]: [encrypted hash] (DF)"
IPsec packets that come from eth2 are routed to the external eth1
interface. Only they have the 10.x.x.x ip as their source ip and I want
it to be the external ip or else the routing goes wrong.

The firewall itself also runs IPsec for a VPN. So filtering from which
ip that IPsec packets are comming and have to be forwarded is a must.
I'm using only ESP and no AH btw.

I tried several pass-through examples from various sites, but these
don't seems to work.

It comes down to:
- Forward IPsec packets to eth2
- Route packets from eth2 out to eth1 with correct source ip.

Hope someone got an answer...

Patrick
-- 

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux