Default route to VPN & NAT on enc_if???

Wed, 13 Dec 2006 02:15:20 -0800 

Hello,

I've setup an VPN tunnel with pubblic IPs to default route.

# netstat -rnf encap
Routing tables

Encap:
Source             Port  Destination        Port  Proto
SA(Address/Proto/Type/Direction)
172.16.15.6/32     0     172.16.16.6/32     0     0
172.16.15.6/esp/use/in
172.16.16.6/32     0     172.16.15.6/32     0     0
172.16.15.6/esp/require/out
default            0     193.189.180.128/27 0     0
172.16.15.6/esp/use/in
193.189.180.128/27 0     default            0     0
172.16.15.6/esp/require/out

Everything works as expected, all hosts in my network have access to
internet. The only thing I am not sure is how to setup natting. What is
my external interface in this example? bge0 as ethernet interface or enc0?

nat on enc0 from $int_if:network to any -> 193.189.180.129

Diagram:

193.189.180.129/27 (em1)
      hostA 172.16.16.6 (bge0) -> VPN -> hostB -> default route
10.1.1.11 (bge1)

/etc/mygate points to 193.189.180.129

Debug section:

Ping from LAN looks on hostA as:

# tcpdump -i bge1 icmp
tcpdump: listening on bge1, link-type EN10MB
10:30:14.902581 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:30:15.912678 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:30:16.922770 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:30:17.932853 10.1.1.104 > fk-in-f99.google.com: icmp: echo request

enc0, bge0 shows nothing, so packets are not getting there.

# tcpdump -i em1 icmp
tcpdump: listening on em1, link-type EN10MB
10:35:52.650165 10.1.1.104 > fk-in-f104.google.com: icmp: echo request
10:35:53.660104 10.1.1.104 > fk-in-f104.google.com: icmp: echo request
10:35:54.670196 10.1.1.104 > fk-in-f104.google.com: icmp: echo request
10:35:55.680285 10.1.1.104 > fk-in-f104.google.com: icmp: echo request

icmp ends on the wrong interface. If I remove my default route:
route -qn delete default 193.189.180.129

# tcpdump -i bge1 icmp
tcpdump: listening on bge1, link-type EN10MB
10:46:46.103245 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:46:46.103255 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com
unreachable
10:46:47.113334 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:46:47.113344 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com
unreachable
10:46:48.123425 10.1.1.104 > fk-in-f99.google.com: icmp: echo request
10:46:48.123434 10.1.1.11 > 10.1.1.104: icmp: host fk-in-f99.google.com
unreachable

It looks like hostA is missing that route now? What should I set for
default gateway and NAT to send packets on the right interface?

Regards,
Mitja

Reply via email to