Hello IPFilter list,
I'd like some advice on the following scenario:
as you can see from the diagram below, I'm doing IPSEC + IKE tunnel between
the client and the FW.
How should my NAT rules on the external interface (rf0) on the FW look like?
I don't need or want any NAT on rf1.
Currently, here's what I'm seeing in the logs:
ip.tun0 @-1:-1 p 1.1.1.2 -> 72.5.124.61 PR icmp len 20 92
icmp unreach/needfrag for 72.5.124.61,80 - 1.1.1.2,32815 PR tcp len 20
...among other things. Needless to say, communication with the outside world
does not work.
And since I'm allowing traffic from ip.tun0 to any, this does not seem to be
an ipf.conf problem.
My NAT is wrong, but I don't know in which way. What do I put into
ipnat.conf to get the VPN client to be able to communicate with the outside
world via the FW?
currently I have:
map rf0 1.1.0.0/16 -> 0/32 portmap tcp/udp auto
map rf0 1.1.0.0/16 -> 0/32
(IPFIlter rev. is 3.4.35 (496) on Solaris 9 SPARC.)
Internet
|
ADSL (performs NAT to a public IP)
|
+-----+-----+
|192.168.1.2|
|rf0 |
+-----------+
inside
FW
+---------+
| ip.tun0 |
| 1.1.1.1 |
+---------+ WDMZ FW
| 1.2.3.4 | interface
| rf1 |
+----+----+
I|
P|I
ESP S|K
e|E
c|
+----+----+
| rtls0 |
| 1.2.3.5 |
+---------+
| 1.1.1.2 |
| ip.tun0 |
+---------+
^
|
default route
is 1.1.1.2
on ip.tun0
