Michael Weickel - iQom Business Services GmbH wrote: > Dear shorewall users, > > I have a OPENSWAN vpn between two shorewalls. Everything is up and running > and working fine. > > First I will describe the topology. > > Left: 1.1.1.1 > Leftsubnet:192.168.1.0/24 > Right: 2.2.2.2 > Righsubnet: 192.168.2.0/24 > > The Left- and Rightsubnets are not directly (static) connected to the > Shorewall but via a /30 subnet. So that means that Shorewall has no > interface either in the Left- or Rightsubnet, but this doesn't play a role > since routing makes it possible. > > My goal now is to talk from left to right to a nat ip (which should be > configured on the Shorewall bos right) which makes a DNAT to a host in the > Rightsubnet. > > Since Openswan does not use tunnel interfaces I am a little lost. > > Lets say my NATIP should be 5.5.5.5 and it should be dnatted to 192.168.2.1 > > I added a DNAT rule to the right Shorewall which looks like > > DNAT ext-if int-if:192.168.2.1 tcp 23 - > 5.5.5.5 > > I tried to to this with configuring 5.5.5.5 on the ext-if as an alias and I > treid it without but it seems that the nat rule is not visible inside the > tunnel since if I telnet 5.5.5.5 through tunnel I will terminate at the > Shorewall right itself instead of being natted to 192.168.2.1 > > Any help would be appreciated.
1) Why do you need to DNAT at all? The left and right networks should be
able to communicate using their native IP addresses! If not, you have
done something wrong in your OpenSwan configuration.
2) Your DNAT rule appears to have interface names rather than zones. If
you want to DNAT traffic from the left network then:
- The SOURCE is the zone that you assign to the left network.
- The ORIGINAL DESTINATION must be an address that the left
network uses the tunnel to communicate with.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
