dnat - ipsec

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hallo,

I like to handle packages comming through an ipsec tunnel with dnat.
But that works not completly.
It looks as if the replypackages on the PREROUTED request aren't handeld.
Or did I have just problems to understand it?
Would be great if somebody can help me.
Sorry, my english isn't very well and my computer knowlage even worse, but I
wrote this for my husband who can't speak english at all.
I really hope somebody can help us so my husband can do other things than
hacking on his machine. 

0     0    DNAT    all  --  ipsec0 *    10.10.200.0/24    172.28.2.162

Nov 29 16:59:39 fw kernel: IN=ipsec0 OUT=eth0 SRC=10.10.200.50
DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=ICMP TYPE=8 CODE=0
ID=30478 SEQ=62721
Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1 SRC=192.168.168.80
DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=17742 PROTO=ICMP TYPE=0 CODE=0
ID=30478 SEQ=62721

here more information:

Computer A:   IP 192.168.168.80
             Reliant Unix

	     Gateway A:   eth0 192.168.168.59
	                  eth1 130.168.100.1 # extern und ipsec-dev
			               Kernel 2.4.4-SuSE, FreeSWAN 1.92 + X509

				       Gateway B:   eth0 10.10.200.20
				                    ippp0 130.168.200.2 # extern and ipsec-dev
						                 Kernel 2.4.4-SuSE, FreeSWAN 1.92

								Computer B:   IP 10.10.200.50
								              Linux Gentoo


								Computer A likes to reach Computer A via IP 172.28.2.162.

									      Gatway A: ipsec.conf excerpt 
									      conn gg
									              right=130.168.200.2
										              rightsubnet=10.10.200.0/24
											              left=130.168.100.1
												              leftnexthop=130.168.100.101
													              # leftsubnet=192.168.168.0/24
														              leftsubnet=172.28.2.160/28
															              leftupdown=/usr/local/lib/ipsec/gg_ud.sh
																              authby=secret
																	              auto=add
																		              pfs=no

																			      Gateway B: ipsec.conf excerpt
																			      conn gg
																			              right=130.168.200.2
																				              rightsubnet=10.10.200.0/24
																					              rightnexthop=130.168.1.1
																						              left=130.168.100.1
																							              # leftsubnet=192.168.168.0/24#!/bin/sh
																								              leftsubnet=172.28.2.160/28
																									              authby=secret


																							The connection works if the excluded leftsubnet are
used and leftupdown is excluded, Computer B can reach Computer A.


																										      Gatway A:>cat /usr/local/lib/ipsec/gg_ud.sh
																										      #!/bin/sh
																										      #
																										      case "$PLUTO_VERB:$1" in
																										      up-client:)
																										      iptables -t nat -A PREROUTING -i
$PLUTO_INTERFACE $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j DNAT
--to 192.168.168.80
																										      ;;
																										      down-client:)
																										      iptables -t nat -D PREROUTING -i
$PLUTO_INTERFACE -s $PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK -d 172.28.2.162 -j
DNAT --to 192.168.168.80
																										      ;;
																										      :status)
																										      iptables -t nat -nvL PREROUTING
																										      ;;
																										      esac

																										      The tunnel get established:

																										      Gateway A:> ipsec eroute
																										      0          172.28.2.160/28    ->
10.10.200.0/24     => tun0x1006@xxxxxxxxxxxxx

																										      Gateway A:> iptables -t nat -nvL PREROUTING
																										      Chain PREROUTING (policy ACCEPT 435120
packets, 38864020 bytes)
																										       pkts bytes target     prot opt in     out  
  source            destination        
																										           0     0 DNAT       all  --  ipsec0 *   
   10.10.200.0/24    172.28.2.162       to:192.168.168.80

																											   Gateway B:> ipsec eroute
																											   0          10.10.200.0/24     ->
172.28.2.160/28    => tun0x1004@xxxxxxxxxxxxx

																											   a ping for testing,

																											   Computer B:>ping 172.28.2.162
																											   PING 172.28.2.162 (172.28.2.162): 56 octets
data

																											   Gateway A:> ipsec eroute
																											   0          172.28.2.160/28    ->
10.10.200.0/24     => tun0x1008@xxxxxxxxxxxxx

																											   Gateway A:> iptables -t nat -nvL PREROUTING
																											   Chain PREROUTING (policy ACCEPT 435490
packets, 38906905 bytes)
																											    pkts bytes target     prot opt in     out    
source            destination        
																											      155 13020 DNAT       all  --  ipsec0 *     
 10.10.200.0/24    172.28.2.162       to:192.168.168.80

																											      Gateway B:> ipsec eroute
																											      278        10.10.200.0/24     ->
172.28.2.160/28    => tun0x1006@xxxxxxxxxxxxx


																											      Gateway A:> iptables -I FORWARD -j LOG

																											      Gateway A:> tail -f /var/log/messages
																											      Nov 29 16:59:39 fw kernel: IN=ipsec0
OUT=eth0 SRC=10.10.200.50 DST=192.168.168.80 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=0
DF PROTO=ICMP TYPE=8 CODE=0 ID=30478 SEQ=62721
																											      Nov 29 16:59:39 fw kernel: IN=eth0 OUT=eth1
SRC=192.168.168.80 DST=10.10.200.50 LEN=84 TOS=0x00 PREC=0x00 TTL=63
ID=17742 PROTO=ICMP TYPE=0 CODE=0 ID=30478 SEQ=62721
																											      
Thanks Ulla

-- 
HoHoHo! Seid Ihr auch alle schön brav gewesen?

GMX Weihnachts-Special: Die 1. Adresse für Weihnachts-
männer und -frauen! http://www.gmx.net/de/cgi/specialmail

+++ GMX - die erste Adresse für Mail, Message, More! +++



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux