From: Miky J (mikydeb_at_yahoo.fr)
Date: Tue Oct 15 2002 - 22:59:39 CEST
Yes I did patch the kernel, i didn't mentioned but you're right to ask the question in case of.
On my FW1 i do tcpdump -i eth0|grep ESP and i have
21:11:11.714589 mailgate.xxx.info > hostxxx-xxx-xxx-139.in-addr.btopenworld.com: ESP(spi=0xa27fcd92,seq=0x467)
On my FW2 i do the same and i have
21:15:03.821997 yyy.yyy.yyy.18 > xxx.xxx.xx.139: ESP(spi=0xa27fcd92,seq=0x446)
So i assume the packets are going throught the internet in an encrypted mode.
I have set up nat because my FW are natting packets from my LANs
It looks like this on both FW
iptables -t nat -A POSTROUTING -s $LAN -d \! 192.168.2.0/24 -o eth0 -j SNAT --to $external_iface_fw1
iptables -t nat -A POSTROUTING -s $LAN -d \! 192.168.1.0/24 -o eth0 -j SNAT --to $external_iface_fw2
Ok so what procedure do you think i should follow to resolve that ??
What if feel is that FW2 is not forwarding the packets to Lan2 (after they've being sent from Lan1....FW1....Internet....FW2) because using iptraf I don't see them going
......Ok i've just run tcpdump on FW2 to see if the packets are forwarded and nothing seems to show up.
Any ideas ?
by the way, do i have to write prerouting rules ? I wrote these rules
iptables -t nat -A PREROUTING -p udp -s $internet -i ppp0 --dport 500 -j DNAT --to $external_iface_fw
iptables -t nat -A PREROUTING -p 50 -s $internet -i ppp0 -j DNAT --to $external_iface_fw
Even deleting these rules doesn't work..
Regards
felippe <felippe_at_xlsol.com> wrote:You cannot NAT ipsec packets, because you will mess with the header. TO use NAT with freeswan you need to patch the freeswan to ignore this kind of change on the header. I don't see why you are trying to NAT the packets? If you can make a more detailed description of your network I will b more then happy to help you. Regards,Felippe Piazza. -----Original Message-----
From: users-admin_at_lists.freeswan.org [mailto:users-admin_at_lists.freeswan.org] On Behalf Of Miky J
Sent: terça-feira, 15 de outubro de 2002 13:56
To: users_at_lists.freeswan.org
Subject: [Users] From subnet to subnet
Hi List,
I know the question have already been asked but i didn't find my answer even searching in the mailling list archives.
I want to to that
lan1(192.168.1.0/24)<-->(192.168.1.254)FW1(x.y.z.1)<---->(x.y.z.2)R<----------------->Internet<------------>R(a.b.c.2)<------>(a.b.c.1)FW2(192.168..2.254)<----->lan2(192.168.2.0/24)
The two FW are doing masquerading and encryption.
When i want to ping from a machine in lan1 to a machine in lan2, it doesn't work. Nothing appears with a tcpdump -i ipsec0
If i ping from a machine in lan1 to the external interface or FW2 (a.b.c.1) it does work and with iptraf i can see some p50 packets.
On FW2 my nat rules are
iptables -t nat -A PREROUTING -p udp -s $internet -i ppp0 --dport 500 -j DNAT --to $externalfw2
iptables -t nat -A PREROUTING -p 50 -s $internet -i ppp0 -j DNAT --to $externalfw2
I told both FW to accept all the packets in the filter table to avoid adding these problems.
Does anyone have an idea why it doesn't work ?
Do i have to write specific rules in the nat tables ? Are mine correct ?
Why the protocol is called 50 ? Because the ones i knew before where not called with numbers (tcp, udp, icmp). Ok i know these ones are not located on the same osi layer.
Thanx for help, i hope i'll be able to resolve that problem
---------------------------------
Yahoo! Mail -- Une adresse @yahoo.fr gratuite et en français !
---------------------------------
Yahoo! Mail -- Une adresse @yahoo.fr gratuite et en français !
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users
This archive was generated by hypermail 2.1.5 : Thu Oct 17 2002 - 05:20:27 CEST