[Openswan Users] ipsec and snat

Alexander 'Leo' Bergolth leo at strike.wu.ac.at
Tue Sep 4 08:52:50 EDT 2012


On 09/04/2012 11:24 AM, Alexander 'Leo' Bergolth wrote:
> I have a shorewall firewall that connects two private subnets via ipsec
> and also has a dmz.
> 
> private net                                  private remote net
> Zone: int                                    Zone: vpn
> 10.0.1.0/24 --- shorewall --- Internet ---   10.0.2.0/24
>                  /      \  -  - ipsec -  -   /
>                 /
>              DMZ
>         1.2.3.0/24
> 
> Connecting the two subnets works fine. There are ipsec policies that
> match my two private subnets.
> 
> However, I'd like to make a single exception and allow one host in the
> DMZ to make dns requests to one host in the remote net (via ipsec). I'd
> like to use SNAT to map its address to an address in the internal net.
> 
> There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in
> masq in order to make the SNAT filter work:
> -------------------- 8< --------------------
> outgoing INTERFACE    SOURCE     ADDRESS    PROTO   PORT(S) IPSEC   MARK
> eth0:10.0.2.0/24      1.2.3.4    10.0.1.9   -       -       no
> -------------------- 8< --------------------
> 
> (This includes a "policy match dir out pol none" filter, which matches
> the packets from my DMZ host when they fist pass the POSTROUTING chain,
> before they are rewritten using SNAT.)
> 
> Unfortunately the other shorewall policies and rules still won't work
> because the calls to the dmz2vpn chains also include "policy match dir
> out pol ipsec", which won't match because there is no security policy
> for the DMZ.
> 
> Do you have any hints how to solve this?

Oops, sorry.
I actually intended to post this to the shorewall mailinglist.

However, maybe an openswan expert can also help? ;-)

Thanks,
--leo
-- 
e-mail   ::: Leo.Bergolth (at) wu.ac.at
fax      ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria



More information about the Users mailing list