[Openswan Users] Routing problem with tunnel established
Paul Wouters
paul at xelerance.com
Fri Jan 13 17:10:23 CET 2006
On Fri, 13 Jan 2006, webmaster at elnportal.it wrote:
> Hi to all, I've a problem on my net to net vpn tunnel.
>
> I can ping the subnet's each other except for one AS400 server and 2 CISCO
> routers. I think that for routers the problem is the ACL .... so i'm trying to
> SNAT the packet before.
>
> Let's make it clear.
>
> REMOTE CISCO ACL 10.0.2.0/24 CISCO IP 10.0.2.1
> LOCAL SUBNET TRYING TO CONNECT TO CISCO DEVICE 10.0.1.0/24
>
> 10.0.1.0/24 -- OPENSWAN GATEWAY1 ==== OPENSWAN GATEWAY2 -- 10.0.2.0/24 (here
> CISCO 10.0.2.1)
>
> when I try to ping 10.0.2.1 from 10.0.1.0/24 subnet I can't receive any
> response.
>
> tcpdumping the internet LAN of vpn end terminal phisically connected to 10.0.2.1
> I see that ESP packets flow from 10.0.1.0/24 subnet to 10.0.2.1 but 10.0.2.1
> doesn't reply.
>
> I would like to change source IP from 10.0.1.0/24 to a dummy ip accepted by the
> CISCO ACL (a reserved IP on 10.0.2.0/24 subnet) using SNAT.
>
> I've tried
> iptables -t nat -A POSTROUTING -d 10.0.2.1 -j SNAT --to 10.0.2.254
> on Openswan Gateway connected to 10.0.1.0/24 but it doesn't seems to work.
>
> Tried too
> iptables -t nat -A POSTROUTING -d 10.0.2.1 -j SNAT --to 10.0.2.254
> on Openswan Gateway connected to 10.0.2.0/24 subnet but it still doesn't work.
>
> I think that firewall decision are taken before vpn packets information
> extraction.
>
> What can I do ? Can I operate some modification on mangle table to achieve my
> goal ?
If you can SNAT on the incoming local ethX interface, then it should work.
SNAT'ing the linux machine's one IP to something else is very tricky in
combination with ipsec. It might work with KLIPS, and for NETKEY you would
have to try bleeding edge netfilter patch-o-matic patches.
Paul
More information about the Users
mailing list