Re: NAT issues on a VPN tunnel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello,

Before you start adding in customer NAT rules are you sure that end point to end point work ?

If the VPN device is setup on the gw box or the router has a route of the network on the other side of the VPN you will not need to NAT any traffic.

We have a VPN device plugged into a production network at a IDC, the default gw is the firewall, not the VPN device and we did not want to add a static route on the firewall. So on the VPN device, we SNAT all packets that leave that machine to it's local IP. That way all connections that come in from the VPN look like they came from the VPN device.

Michael.



Chris Lyon wrote:
So, I am trying to use NAT to solve the problem below because of an IP
addressing conflict issue but I am not having much luck. Basically all of
the Site A needs to get to only a few devices at each site B&C so I am
trying to do PREROUTING NAT on the far end systems. I have the tunnels up
and I can see the traffic getting to the remote side on ipsec0 but I just
can't get it to NAT from the 1.1.1.1 to the real 10.10.1.1.

Command that I think should work
iptables -t nat -A PREROUTING -i ipsec0 -d 1.1.1.1 -j DNAT --to 10.10.10.10 iptables -t nat -A POSTROUTING -o ipsec0 -s 10.10.10.10 -j SNAT --to 1.1.1.1


Any ideas? Layout and configs are below.


Site A eth0 - 192.168.254.0/24--Internet--Site B eth0 - 10.10.0.0/16
					 \ NAT FROM 1.1.1.1 10.10.1.1
example
					  \--Internet--Site C eth0 -
10.10.0.0/16
						NAT FROM 1.1.2.1 10.10.1.1
example


So here is the openswan configurations for your reference:

Site A

conn site_a-to-site_b
        #---------(local side is left side)
        left=<public site a>
        leftsubnet=192.168.254.0/24
        leftnexthop=%defaultroute
        #---------(remote side is right side)
        right=<public site b>
        rightsubnet=1.1.0.0/16
        #---------Auto Key Stuff
        pfs=yes
        auth=esp
        authby=secret
        esp=3des-md5-96
        keylife=8h
        keyingtries=0


Site B

conn site_b-to-site_a
        #---------(local side is left side)
        left=<public site b>
        leftsubnet=1.1.0.0/16
        leftnexthop=%defaultroute
        #---------(remote side is right side)
        right=<public site a>
        rightsubnet=192.168.254.0/24
        #---------Auto Key Stuff
        pfs=yes
        auth=esp
        authby=secret
        esp=3des-md5-96
        keylife=8h
        keyingtries=0








--
Michael Gale
Lan Administrator
Utilitran Corp.

We Pledge Allegiance to the Penguin

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux