[Openswan Users] Question regarding DMZ
gary.smith at holdstead.com
Fri Mar 5 14:47:33 EST 2010
> Until yesterday, everything was NAT'ed in our network, but because of some
> limitations, we moved several external facing server into a DMZ. We have also
> moved the openswan server there was well. All of the routes are back up and
> most things are running smoothly.
> The problem is that at one of the servers in the DMZ is a terminal server and
> when users connect to that server and need to access things on one of the
> remote ipsec connections, it fails.
> My understanding is that because the public IP's that we are using are not
> part of the secure ipsec connection. This makes sense.
> My question is how do I fix it? Do I simply put a new connection with the
> public IP information in it and propagate it to all of the servers or is there
> something else I need to be mindful of?
> The firewall is a bridged firewall and the ipsec is on a dedicated Linux
> instance. The firewall has the proper routes for the remote networks pointing
> to the ipsec box.
My workaround for the problem, which is only a one way work around, is to put a POSTROUTING rule in place for the IP's that are in the DMZ that will be traversing the ispec to the remote connection with ah alias IP of one of the LAN IP (which in this case, is unused LAN IP).
I would still like a more elegant solutions. This, by the way, is on CentOS 5.4 systems (with the NSS stuff stripped from it).
Linux Openswan U2.6.24/K2.6.18-164.10.1.el5 (netkey)
More information about the Users