Hallo,
I like to handle packages comming through an ipsec tunnel with dnat.
But that works not completly.
It looks as if the replypackages on the PREROUTED request aren't handeld.
Or did I have just problems to understand it?
Would be great if somebody can help me.
Sorry, my english isn't very well and my computer knowlage even worse, but I
wrote this for my husband who can't speak english at all.
I really hope somebody can help us so my husband can do other things than
hacking on his machine.
0 0 DNAT all -- ipsec0 * 10.10.200.0/24 172.28.2.162
Nov 29 16:59:39 fw kernel: IN=ipsec0 OUT=eth0 SRC=10.10.200.50
DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=30478 SEQ=62721
Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1 SRC=192.168.168.80
DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=17742 PROTO=ICMP TYPE=0 CODE=0
ID=30478 SEQ=62721
here more information:
Computer A: IP 192.168.168.80
Reliant Unix
Gateway A: eth0 192.168.168.59
eth1 130.168.100.1 # extern und ipsec-dev
Kernel 2.4.4-SuSE, FreeSWAN 1.92 + X509
Gateway B: eth0 10.10.200.20
ippp0 130.168.200.2 # extern and ipsec-dev
Kernel 2.4.4-SuSE, FreeSWAN 1.92
Computer B: IP 10.10.200.50
Linux Gentoo
Computer A likes to reach Computer A via IP 172.28.2.162.
Gatway A: ipsec.conf excerpt
conn gg
right=130.168.200.2
rightsubnet=10.10.200.0/24
left=130.168.100.1
leftnexthop=130.168.100.101
# leftsubnet=192.168.168.0/24
leftsubnet=172.28.2.160/28
leftupdown=/usr/local/lib/ipsec/gg_ud.sh
authby=secret
auto=add
pfs=no
Gateway B: ipsec.conf excerpt
conn gg
right=130.168.200.2
rightsubnet=10.10.200.0/24
rightnexthop=130.168.1.1
left=130.168.100.1
# leftsubnet=192.168.168.0/24#!/bin/sh
leftsubnet=172.28.2.160/28
authby=secret
The connection works if the excluded leftsubnet are
used and leftupdown is excluded, Computer B can reach Computer A.
Gatway A:>cat /usr/local/lib/ipsec/gg_ud.sh
#!/bin/sh
#
case "$PLUTO_VERB:$1" in
up-client:)
iptables -t nat -A PREROUTING -i
$PLUTO_INTERFACE $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j DNAT
--to 192.168.168.80
;;
down-client:)
iptables -t nat -D PREROUTING -i
$PLUTO_INTERFACE -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j
DNAT --to 192.168.168.80
;;
:status)
iptables -t nat -nvL PREROUTING
;;
esac
The tunnel get established:
Gateway A:> ipsec eroute
0 172.28.2.160/28 ->
10.10.200.0/24 => tun0x1006@xxxxxxxxxxxxx
Gateway A:> iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 435120
packets, 38864020 bytes)
pkts bytes target prot opt in out
source destination
0 0 DNAT all -- ipsec0 *
10.10.200.0/24 172.28.2.162 to:192.168.168.80
Gateway B:> ipsec eroute
0 10.10.200.0/24 ->
172.28.2.160/28 => tun0x1004@xxxxxxxxxxxxx
a ping for testing,
Computer B:>ping 172.28.2.162
PING 172.28.2.162 (172.28.2.162): 56 octets
data
Gateway A:> ipsec eroute
0 172.28.2.160/28 ->
10.10.200.0/24 => tun0x1008@xxxxxxxxxxxxx
Gateway A:> iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 435490
packets, 38906905 bytes)
pkts bytes target prot opt in out
source destination
155 13020 DNAT all -- ipsec0 *
10.10.200.0/24 172.28.2.162 to:192.168.168.80
Gateway B:> ipsec eroute
278 10.10.200.0/24 ->
172.28.2.160/28 => tun0x1006@xxxxxxxxxxxxx
Gateway A:> iptables -I FORWARD -j LOG
Gateway A:> tail -f /var/log/messages
Nov 29 16:59:39 fw kernel: IN=ipsec0
OUT=eth0 SRC=10.10.200.50 DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=30478 SEQ=62721
Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1
SRC=192.168.168.80 DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63
ID=17742 PROTO=ICMP TYPE=0 CODE=0 ID=30478 SEQ=62721
Thanks Ulla
--
HoHoHo! Seid Ihr auch alle schön brav gewesen?
GMX Weihnachts-Special: Die 1. Adresse für Weihnachts-
männer und -frauen! http://www.gmx.net/de/cgi/specialmail
+++ GMX - die erste Adresse für Mail, Message, More! +++
