I had a problem which I fixed in a way I haven't seen reference to.
Thanks to Charles Steinkuehler of LEAF for assistance.
I have an Eiger router with IPSec and an NT Proxy server, each with a DSL
connection, each routing to the inside LAN
On the inside is a mail server and an AS400, which road warriors need to
acccess thru VPN
DSL DSL
| |
Proxy Linux Router
Server IPSec VPN
123.x.x.1 123.x.x.2
| 123.x.x.0/24 |
--------------------------------------------------------------
| |
mail as400
The problem is that the Proxy server is the default gateway.
So requests which pass thru the Linux router respond thru the
Proxy Server unencrypted.
I didn't want to burden my Linux Router with a proxy to solve this.
Solution:
Masquerade external to internal on the Linux router
ipchains -A forward -j MASQ -p all -s ! 123.x.x.0/24 -d 123.x.x.0/24
This of course causes the mail server to respond to the correct router.
What is SO COOL is that ipsec deencapsulates, before passing to the
forward chain, THEN the response is seen by NAT, unmangled correctly,
THEN the ipsec routing table sees the destination address( the road warrior )
and says "that's mine", encapsulates and puts it back on the output chain.
Try that on Windows.
Of course this will work fine in any dual router situation, it doesn't have
anything
to do with IPSec.
Warning to IPSec users:
IF you specify leftfirewall=yes, the clever fellows at FreeS/Wan make a
hole in
your firewall for VPN traffic. They do this in the the _updown script.
Problem is they INSERT forwarding rules rather than ADD them. So when a
connection
comes up, my MASQ rule above gets superceded by their ACCEPT rule.
I just patched _updown.
Well, hope this helps someone someday.
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
