João Kuchnier wrote: > > 2009/6/10 Tom Eastep <teas...@shorewall.net <mailto:teas...@shorewall.net>> > > João Kuchnier wrote: > > Tom, > > > > Thanks for your help. I manage do configure IPSec connection through > > firewall using the rules specified at http://www.shorewall.net/VPN.htm > > with nat transversal. > > > > Now, my only problem is using shorewall on the VPN Server. The rules I > > mentioned before are correct? > > > > RULES > > DNAT all net:192.168.1.xxx udp 2000 > > DNAT all net:192.168.1.xxx udp 2010 > > DNAT all net:192.168.1.xxx tcp 2004 > > > > I need to nat specific packages coming from VPN connection to another > > two servers. This servers needs to respond this packages using the > ipsec > > tunnel. > > I'm sorry but I'm completely confused about what you are trying to do. > So I can't say whether those rules are correct or not. > > > --> Sorry, I will try to explain better... > > > > It looks to me like you are trying to use routing/DNAT to 'help' IPSEC > where IPSEC could probably do what you want by itself. It strikes me > that 192.168.1.xxx will probably send its responses to the redirected > requests back through your main firewall rather than through the VPN > server which, of course, won't work. > > > --> Yes, something like this. The firewall running on the openswan > server (only one interface), besides accepting every conection, will nat > three types of connections to two different servers. On this two > servers, I created two routes for them to respond vpn incoming packages. > The gateway of this rules are directed to the openswan server. > > Routes on one of the other servers on dmz... > 192.168.102.0 192.168.1.224 255.255.255.0 UG 0 0 0 eth2 > 10.201.136.0 192.168.1.224 255.255.248.0 UG 0 0 0 eth2 > > Do you think the request response can get through vpn connection?
I don't know. I still don't understand why you have this complicated configuration with multiple tunnels and DNAT on two different systems. There has to be a better way, but none of us reading this thread can figure out what it is you are really trying to accomplish. So I can only advise you to try the connection and see what happens. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Crystal Reports - New Free Runtime and 30 Day Trial Check out the new simplified licensing option that enables unlimited royalty-free distribution of the report engine for externally facing server and web deployment. http://p.sf.net/sfu/businessobjects
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
