W dniu 2007-10-05 10:36, Christian Vieser pisze: > Hi all, > > I set up an IPSEC tunnel according to the tutorial at > http://www.shorewall.net/IPSEC-2.6.html. In the following I will refer > to the picture and rules there. > > The company at side B now wants, that all clients from side A appear to > have a single address, say 192.168.200.1. So the question is, what entry > in /etc/shorewall/masq is needed to translate all originating requests > from subnet 192.168.1.0/24 to this address, before the traffic will go > through the IPSEC tunnel. And what has to be changed in the IPSEC/racoon > config for this? >
Extracted from working shorewall 2.2.x installation (should not be different in newer versions): # file: masq #INTERFACE SUBNET ADDRESS eth0::$B_SIDE_IP_RANGE 192.168.1.0/24 192.168.200.1 # put other masq entries with 192.168.1.0/24 as a subnet below if needed Most likely You need to turn off route filtering (for example ROUTE_FILTER=No in shorewall.conf). IPSec tunnel must be established between 192.168.200.1/32 and $B_SIDE_IP_RANGE. I use Openswan, not ipsec-tools, so I can't give exact config entries. It should be enough, if Your configuration does not contain any specific, conflicting elements. Greetings. -- Artur ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
