On 11/24/06, <b class="gmail_sendername">Peter McGill</b> <<a href="mailto:petermcgill@goco.net">petermcgill@goco.net</a>> wrote:<div><span class="gmail_quote"></span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Nov 24, 2006 Christian Brechbühler wrote:<br>> The Cisco side instructed us to<br>> source-network-addres-translate all packets destinated to them, which we do with this rule:<br>> -A POSTROUTING -d <a href="http://10.14.8.0/255.255.255.0"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font>
10.14.8.0/255.255.255.0</a> -o eth1 -j SNAT --to-source <a href="http://192.168.232.10"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.232.10</a><br><br>I've never SNAT'd through an Openswan tunnel before so I'm not exactly sure how it would work.<br>Although if you get it working, I'd like to know how, as I have a situation myself where I'm going to need it.
<br><br>Let's confirm your setup details, correct me if I'm wrong but your setup is as follows:<br><br>Your Private LAN<br><a href="http://10.0.0.0/24"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.0.0.0/24</a><br>|<br>Openswan 2.4.4 (ipsec --version ?Klips or NETKEY?)
<br>
</blockquote><div> Linux Openswan U2.4.4/K2.6.11-gentoo-r5 (netkey)<br>
<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Linux 2.6.11-gentoo-r5<br>Eth1 public internet interface<br>|<br>Internet<br>|<br>Cisco
<br>|<br>Remote Network<br><a href="http://10.14.8.0/24"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.14.8.0/24</a></blockquote><div><br>
Actually <a href="http://10.14.8.0/29"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 10.14.8.0/29</a> -- the iptables rule is too
general. In our view of the world, the above diagram is correct.</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Where does <a href="http://192.168.232.10"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font>
192.168.232.10</a> fit in? </blockquote>
<blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote">Is it just an unused address chosen at the Cisco end to NAT your traffic to them?</blockquote>
<br>
In the Cisco's view, our subnet is <a href="http://192.168.232.0/24"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.232.0/24</a> -- yes, you're probably right about the unused address.<br>
<div><br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Have you tried the SNAT'ing with your lithium test setup?</blockquote><div>No, thanks, that's another idea to try.
<br>
</div>If I've got your setup right above, then...<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">First I'd set your leftsubnet=<a href="http://192.168.232.10/32"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 192.168.232.10/32</a> again (and on the Cisco).
</blockquote><div>I don't see a difference in the behavior any more. I assume they changed it to Xsubnetwithin <br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">If NETKEY the -o eth1 -j SNAT is good (if that is your external interface.)<br>With Klips it would be -o ipsec0 -j SNAT ...
</blockquote><div><br>
Pretty sure it's NETKEY -- see above. No ipsecX interfaces;
we have eth0, eth1, lo, ppp0, and ppp1. The latter two are for
Windows machines, which do PPP over L2TP over IPsec.<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">That's how I would guess it should work, however again, I've never actually SNAT'd through a tunnel.
<br>Perhaps someone else has, and/or has some insight?<br>
</blockquote></div><br>
I'll let you know if I get it to work. But even without SNAT, I
get this weird situation (not serious, but may be the same
issue): When lithium establishes an IPsec tunnel to the vpn
gateway, connections that lithium initiates (ping, ssh, traceroute,
http) work fine. Any connection to lithium that the gateway
initiates fails. Is this normal? I suspect NO, and the
firewall on the gateway may be ruining things.<br>
<br>
/Christian<br>