Johan Hedin wrote:
Hi
I need help with our IPSEC setup. We have an internal net
192.168.1.0/24. We have IPSEC to a customer on net 10.92.0.0/16.
However, they already used the 192.168.1.0 net, so the IPSEC tunnel is
to 10.84.230.0/28. I have set up 10.84.230.1 on the internal network
interface (hme3), and added a manual route to 10.92.0.0/16 via
10.84.230.1. All works perfect on the firewall. On the internal net
however, I can not reach the 10.92 net. I have tried to nat 192.168.1.0
via 10.84.230.1. NAT works, but the packets are thrown back out on hme3
with 10.84.230.1 as source address and to via enc0 as I want. How would
one solve this?
TIA
Johan Hedin
CTO eCare AB
[demime 1.01d removed an attachment of type application/x-pkcs7-signature which
had a name of smime.p7s]
Hi
this has been discussed here before
From the man page
---
NAT can also be applied to enc# interfaces, but special care should be
taken because of the interactions between NAT and the IPsec flow
matching, especially on the packet output path. Inside the TCP/IP
stack,packets go through the following stages:
UL/R -> [X] -> PF/NAT(enc0) -> IPsec -> PF/NAT(IF) -> IF
UL/R < PF/NAT(enc0) <- IPsec <- PF/NAT(IF) <- IF
With IF being the real interface and UL/R the Upper Layer or Routing
code. The [X] stage on the output path represents the point where the
packet is matched against the IPsec flow database (SPD) to determine if
and how the packet has to be IPsec-processed. If, at this point, it is
determined that the packet should be IPsec-processed, it is processed by
the PF/NAT code. Unless PF drops the packet, it will then be IPsec-pro-
cessed, even if the packet has been modified by NAT.
-
What I do for this is I have my vpn server in a dmz
EVIL
INTERNET
/ \
/ \
em0 em0
||
---\ /\
fw | - em1 -DMZ- - em1 | vpn |
---/ \/
|
em2
Internal networks
Outbound traffic to your customer gets nat-ed on em1 of fw
Inbound traffic from your customer gets nated on em1 of vpn
This may or may not be 'correct' but it works here, and it is pretty simple.