Hi all,q I am using shorewall 4.4.6 on an ipsec road warrior. I am trying to figure out how to configure so that traffic from a subnet of the road warrior is SNATted before being encrypted and routed into the ipsec tunnel. In essence I want to masquerade this subnet into the VPN.
The VPN for this road warrior is the default route, so all traffic from this road warrior should be directed into the ipsec tunnel. The ipsec tunnelling is managed by another piece of software so I have zero ability to reconfigure it and I have zero ability to change the configuration of the remote end or the policy. Here's some of what I have tried so far: ----- interfaces ----- #ZONE INTERFACE BROADCAST OPTIONS net eth0 - dhcp kvm virbr0 - dhcp ----- policy ----- #SOURCE DEST POLICY LOG LIMIT: CONNLIMIT: fw net ACCEPT net fw DROP fw kvm ACCEPT net kvm DROP fw vpn ACCEPT kvm vpn ACCEPT all vpn DROP vpn fw ACCEPT vpn all DROP kvm all ACCEPT ----- zones ----- #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 kvm ipv4 vpn ipsec ----- hosts ----- #ZONE HOST(S) OPTIONS swan eth0:0.0.0.0/0 ----- masq ----- #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ virbr0 - 199.10.8.5 - - Yes where virbr0 is the interface of the subnet I want to masq to the road warriors assigned IP on the VPN (199.10.8.5). Looking at the iptables rules, it does not seem to be triggering the SNAT though: Chain POSTROUTING (policy ACCEPT 44 packets, 3151 bytes) pkts bytes target prot opt in out source destination 1 328 virbr0_masq all -- * virbr0 0.0.0.0/0 0.0.0.0/0 Chain virbr0_masq (1 references) pkts bytes target prot opt in out source destination 0 0 SNAT all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec to:199.10.8.5 As you can see there are no matches in the virbr0_masq chain. Ideas? b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users