On Wed, 2007-09-12 at 16:48 +0100, Keith Edmunds wrote: > However, we want to be able to establish a VPN connect from > a LAN client by specifying the external IP address of the > server.
This sounds suspiciously like Shorewall FAQ 2. Do you want to do that simply because you don't want to go to the effort of setting up split DNS? > Despite SNAT being in place and working, attempts to > establish a VPN connection to the external server address > fail, and looking at the logs, pluto (the IPsec server) is > reporting the connection as coming from the client's > 192.168.0.0/24 address. Good -- because that's where it is coming from. > I suspect the setup of the VPN is > failing because the client is sending TO the external IP > address and receiving reply packets BACK from the > 192.168.0.1 address. I suspect that is not the cause -- but it could be verified by looking at packet traces. > > I am sure there must be a way of having NAT work within the > server from one interface to another, There is not. The SOURCE IP address may only be altered in the mangle table's POSTROUTING chain which is not traversed by traffic addressed to the firewall itself. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2005. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
