Jan van der Vyver wrote: > I am trying to ssh from a machine (192.168.10.198) behind machine A > (192.168.10.200) to 192.168.20.33. > > Between machine A and machine B there is a ipsec vpn. > Config for this vpn: > > conn in2one-to-adept > type=tunnel > connaddrfamily=ipv4 > left=196.44.33.190 > leftnexthop=%direct > leftsubnet=192.168.20.0/24 > [EMAIL PROTECTED] > leftrsasigkey=bla > right=196.44.33.114 > rightnexthop=%direct > rightsubnet=192.168.10.0/24 > [EMAIL PROTECTED] > rightrsasigkey=bla > auto=start > > Then machine B must rewrite any packets (on all ports) to 192.168.20.33 ,the > destination to 192.168.241.65 and the source to 196.44.33.118 > > Between machine B and C is a ipsec vpn: > Config: > conn obw > type=tunnel > connaddrfamily=ipv4 > left=196.44.33.190 > leftnexthop=%direct > leftsubnet=196.44.33.118/32 > right=168.167.251.89 > rightnexthop=%direct > rightsubnet=192.168.241.65/32 > rightid=193.219.215.3 > authby=secret > esp=3des-md5-96 > #esp=3des-md5 > keyexchange=ike > pfs=no > auto=start > > If I ssh from from machine b with the following: > > ssh -b 196.44.33.118 [EMAIL PROTECTED] > > It works. > > If I ssh from 192.168.10.198 then the following is seen on machine B's > syslog > >> Shorewall:net_dnat:DNAT:IN=eth0 OUT= >> MAC=00:13:72:3f:74:20:00:12:00:6c:ea:d0:08:00 SRC=192.168.10.198 >> DST=192.168.20.33 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=42453 DF >> PROTO=TCP >> SPT=60171 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 Oct 9 20:58:16 neon >> kernel: [43844718.340000] Shorewall:net2all:DROP:IN=eth0 OUT=eth0 >> SRC=192.168.10.198 >> DST=192.168.241.65 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=42453 DF >> PROTO=TCP >> SPT=60171 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 > > Hope this make it more clear. >
Ok. You do not have IPSEC policy match enabled (although your kernel is new enough to support it). You must enable it if you want this to work; then follow the instructions in http://www.shorewall.net/IPSEC-2.6.html. Without policy match, SNAT rules are not applied until after the traffic is encrypted and encapsulated; by that time, it is too late to change the original SOURCE IP address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
