No one an idea how to solve this problem? kind regards Torsten Am Donnerstag, den 15.12.2005, 16:32 +0100 schrieb Torsten Krah: > Hello. > > I am using ipsec-tools-0.6.x and a kernel 2.6.14 . > > Following network setup is used: > > Network A is a non private network, so all addresses are routable > without NAT, lets call it 141.57.23.0 for example purpose. > > 141.57.23.1 is the main gateway, which is connected to outside world. > There's no NAT taking place there. > > Now i got a BOX in Network A, which got 3 interfaces: > > eth0 - 141.57.23.18 -> connected to Network A > eth1 - 192.168.1.1 -> private Network, WLAN Access Point Interface - > only UDP Packets on OpenVPN Port can pass and DHCP for initial Access. > tap0 - 10.1.0.1 OpenVPN device (Network B), all RoadWarriors which want > to surf the WLAN me provides get IP's in range 10.1.0.100 - 10.1.0.200 - > for http,ftp connections they have to use proxy at 141.57.23.13 . > > All connections are nated at this BOX, with postrouting rule a SNAT to > 141.57.23.18 is taking place. > > iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 141.57.23.18 > > So far it works fine. No problems with this setup. > > And now the addon which causes the problem: > > Network A with 141.57.23.x should communicate over IPSec only. > > So for eth0 a new VPN should be opened with ipsec so i can drop all > other packets which didnt came in through esp protocol. > > Setup is working for Network A, Box 18 could reach all others in > network, lets take 13 (proxy) as example - Tunnel is established > successfull and they can communicate with each other. > > But for Boxes in Network B (10.1.0.x) only Box 18 is reachable, all > other connections for which a tunnel is needed arent reachable, 13 for > example. ( connection for which no esp tunnel is needed according to > ipsec.conf are still reachable, of cause ... its like original setup > without IPSec). > > A ping from Box in Network B to B looks like the following in tcpdump > > On tap0 it comes in on Router Box 10.1.0.1. > On eth0 same box proto esp theres no paket seen. > On eth0 same box normal icmp traffic generated from the Box in Network B > is seen - so SNAT is taking place, but the packet now have to go through > the ipsec tunnel, but it takes the unencrypted way ... which it shouldnt > do because the destination host exspects encrypted packets from that > host. > > I know that the packets are shown twice in the chain, but there is no > crypted packet - only the uncrypted is there. > > The OpenVPN have to be there, it shouldnt be removed for Network B - but > the need for ipsec in Network A is there too, so i am searching for a > solution, to got these two networks communicate with each other, so i > wonder, if theres a design error i got, a error in general because of > protocol specification or the thing which maybe is the one i hope, i > forgot some aspects to configure or remember. > > Any hints are welcome. > > kind regards > > Torsten > >
