[Openswan Users] ipsec and snat
Alexander 'Leo' Bergolth
leo at strike.wu.ac.at
Tue Sep 4 05:24:38 EDT 2012
Hi!
I have a shorewall firewall that connects two private subnets via ipsec
and also has a dmz.
private net private remote net
Zone: int Zone: vpn
10.0.1.0/24 --- shorewall --- Internet --- 10.0.2.0/24
/ \ - - ipsec - - /
/
DMZ
1.2.3.0/24
Connecting the two subnets works fine. There are ipsec policies that
match my two private subnets.
However, I'd like to make a single exception and allow one host in the
DMZ to make dns requests to one host in the remote net (via ipsec). I'd
like to use SNAT to map its address to an address in the internal net.
There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in
masq in order to make the SNAT filter work:
-------------------- 8< --------------------
outgoing INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
eth0:10.0.2.0/24 1.2.3.4 10.0.1.9 - - no
-------------------- 8< --------------------
(This includes a "policy match dir out pol none" filter, which matches
the packets from my DMZ host when they fist pass the POSTROUTING chain,
before they are rewritten using SNAT.)
Unfortunately the other shorewall policies and rules still won't work
because the calls to the dmz2vpn chains also include "policy match dir
out pol ipsec", which won't match because there is no security policy
for the DMZ.
Do you have any hints how to solve this?
Thanks in advance,
--leo
--
e-mail ::: Leo.Bergolth (at) wu.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria
More information about the Users
mailing list