[Openswan Users]

Stefan Denker Stefan at dn-kr.de
Thu Jul 20 18:15:24 CEST 2006


On Wed, Jul 19, 2006 at 09:33:08AM -0300, Frederico Madeira wrote:
> I need to make other vpn connnection with other custommer, so i add
> this line to my firewall:
> VPN1= 192.168.0.1/24
> VPN2= 192.168.0.2/24

At first, these are not valid subnet-declarations. All Host-Bytes should
be set to zero. This would equalize them to 192.168.0.0/24

> $IPTABLES -t nat -A POSTROUTING -o $TELEMAR_INTERFACE -d ! $VPN1 -j 
> MASQUERADE
> $IPTABLES -t nat -A POSTROUTING -o $TELEMAR_INTERFACE -d ! $VPN2 -j 
> MASQUERADE
> And connections to VPN2 don't work because it is mascarade by first rule.

The first matching rule is applied to the packet, yes. 

so you can use: 
iptables -t nat -A POSTROUTING -o $TELEMAR_INTERFACE -d $VPN1 -j ACCEPT
iptables -t nat -A POSTROUTING -o $TELEMAR_INTERFACE -d $VPN2 -j ACCEPT
... [repeat for every VPN you've got]
iptables -t nat -A POSTROUTING -o $TELEMAR_INTERFACE -j MASQUERADE

> How i resolve this problem, to allow more than one vpn connections on
> nat gateway ??

HTH

Stefan

-- 
- "What're quantum mechanics?"
- "I don't know. People who repair quantums, I suppose."
        -- (Terry Pratchett, Eric)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.openswan.org/pipermail/users/attachments/20060720/f66e8d60/attachment.bin


More information about the Users mailing list