[Openswan Users] ipsec and snat
Alexander 'Leo' Bergolth
leo at strike.wu.ac.at
Tue Sep 4 08:52:50 EDT 2012
On 09/04/2012 11:24 AM, Alexander 'Leo' Bergolth wrote:
> I have a shorewall firewall that connects two private subnets via ipsec
> and also has a dmz.
>
> private net private remote net
> Zone: int Zone: vpn
> 10.0.1.0/24 --- shorewall --- Internet --- 10.0.2.0/24
> / \ - - ipsec - - /
> /
> DMZ
> 1.2.3.0/24
>
> Connecting the two subnets works fine. There are ipsec policies that
> match my two private subnets.
>
> However, I'd like to make a single exception and allow one host in the
> DMZ to make dns requests to one host in the remote net (via ipsec). I'd
> like to use SNAT to map its address to an address in the internal net.
>
> There is no ipsec policy for the DMZ net, so I have to use "IPSEC=no" in
> masq in order to make the SNAT filter work:
> -------------------- 8< --------------------
> outgoing INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK
> eth0:10.0.2.0/24 1.2.3.4 10.0.1.9 - - no
> -------------------- 8< --------------------
>
> (This includes a "policy match dir out pol none" filter, which matches
> the packets from my DMZ host when they fist pass the POSTROUTING chain,
> before they are rewritten using SNAT.)
>
> Unfortunately the other shorewall policies and rules still won't work
> because the calls to the dmz2vpn chains also include "policy match dir
> out pol ipsec", which won't match because there is no security policy
> for the DMZ.
>
> Do you have any hints how to solve this?
Oops, sorry.
I actually intended to post this to the shorewall mailinglist.
However, maybe an openswan expert can also help? ;-)
Thanks,
--leo
--
e-mail ::: Leo.Bergolth (at) wu.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria
More information about the Users
mailing list