[Openswan Users] ipsec and snat

Alexander 'Leo' Bergolth leo at strike.wu.ac.at
Tue Sep 4 05:24:38 EDT 2012


I have a shorewall firewall that connects two private subnets via ipsec
and also has a dmz.

private net                                  private remote net
Zone: int                                    Zone: vpn --- shorewall --- Internet ---
                 /      \  -  - ipsec -  -   /

Connecting the two subnets works fine. There are ipsec policies that
match my two private subnets.

However, I'd like to make a single exception and allow one host in the
DMZ to make dns requests to one host in the remote net (via ipsec). I'd
like to use SNAT to map its address to an address in the internal net.

There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in
masq in order to make the SNAT filter work:
-------------------- 8< --------------------
eth0:   -       -       no
-------------------- 8< --------------------

(This includes a "policy match dir out pol none" filter, which matches
the packets from my DMZ host when they fist pass the POSTROUTING chain,
before they are rewritten using SNAT.)

Unfortunately the other shorewall policies and rules still won't work
because the calls to the dmz2vpn chains also include "policy match dir
out pol ipsec", which won't match because there is no security policy
for the DMZ.

Do you have any hints how to solve this?

Thanks in advance,
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria

More information about the Users mailing list