RE: NAT issues on a VPN tunnel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: netfilter-bounces@xxxxxxxxxxxxxxxxxxx [mailto:netfilter-
> bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Jason Opperisano
> Sent: Wednesday, November 03, 2004 7:49 AM
> To: netfilter@xxxxxxxxxxxxxxxxxxx
> Subject: Re: NAT issues on a VPN tunnel
> 
> On Tue, Nov 02, 2004 at 11:03:53PM -0800, Chris Lyon wrote:
> > > On Tue, 2004-11-02 at 19:35, Christopher Lyon wrote:
> > > > I believe that would cause a problem on the VPN tunnel as the
> endpoints
> > > > won't match. This would need to be done on the far end (site b).
> > >
> > > believe what you want--it works for me.
> >
> > So how do you build the tunnel?
> 
> the tunnel is built between the public external IP's of the two
> gateways.
> 
> in a scenario where site A and site B both use 10.0.0.0/24 as their
> internal network, and we need to build a VPN between them:


But that is not my case. I have three sites with the two remote sites being
in conflict. 

Site A 192.168.254.0/24
Site B 10.10.0.0/16
Site C 10.10.0.0/16

So, I would need to do the translation on the remote side, site B and site
C.

Correct? I can't see doing this at the head end.

> 
> -------
> Site A
> -------
> ipsec.conf:
>   leftsubnet=172.31.1.0/24
>   rightsubnet=172.31.2.0/24
> 
> # map our 10.0.0.0/24 to 172.31.1.0/24 when going over the VPN
> iptables -t nat -A POSTROUTING -o ipsec0 \
>   -s 10.0.0.0/24 -j NETMAP --to 172.31.1.0/24
> 
> # unmap packets from the other side to 172.31.1.0/24 to our 10.0.0.0/24
> iptables -t nat -A PREROUTING -i ipsec0 \
>   -d 172.31.1.0/24 -j NETMAP --to 10.0.0.0/24
> 
> -------
> Site B
> -------
> ipsec.conf:
>   leftsubnet=172.31.2.0/24
>   rightsubnet=172.31.1.0/24
> 
> # map our 10.0.0.0/24 to 172.31.2.0/24 when going over the VPN
> iptables -t nat -A POSTROUTING -o ipsec0 \
>   -s 10.0.0.0/24 -j NETMAP --to 172.31.2.0/24
> 
> # unmap packets from the other side to 172.31.2.0/24 to our 10.0.0.0/24
> iptables -t nat -A PREROUTING -i ipsec0 \
>   -d 172.31.2.0/24 -j NETMAP --to 10.0.0.0/24
> 
> when someone in site A needs to connect to 10.0.0.100 in site B, they
> connect to 172.31.2.100.
> 
> when someone in site B needs to connect to 10.0.0.100 in site A, they
> connect to 172.31.1.100.
> 
> keep in mind that that packets are sent over the tunnel based on their
> destination address, not their source address.  also keep in mind that
> the packets are still in the clear on ipsec* interfaces and encrypted on
> the physical interfaces.
> 
> dunno if this helps any, but it works for me.  this is how it makes
> sense to me in my head--that each side should perform it's own
> chicanery.  i'm not saying it can't be made to work some other way.
> 
> -j
> 
> --
> "'Nuke the whales?' You don't really believe that, do you?
>  I dunno. Gotta nuke something."
>         --The Simpsons
> 




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux