From: Sjei R. <sje...@ya...> - 2008-06-23 16:25:21
|
I'm trying to get a simple VPN going here. Essentially, I have 2 subnets: A (192.168.0.0/24) and B (192.168.1.0/24) on opposite ends of the VPN. Both subnets are NAT-ed and have 1 public static IP (X.X.X.X and Y.Y.Y.Y). See the attachment for a diagram. This is how I'm setting up the VPN/NATs (all boxen are running on 2.6.24.4 Linux kernels with ipsec-tools 0.7): ############################################### # VPN / NAT for subnet A: ############################################### ifconfig eth0 192.168.0.1 # internal IP for subnet A ifconfig eth1 X.X.X.X # public IP for subnet A echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw <ISP assigned gateway IP> # setup NAT iptables -A POSTROUTING -o eth1 -j MASQUERADE # setup IPSEC tunnelling... setkey -c <<EOF flush; spdflush; add X.X.X.X Y.Y.Y.Y esp 0x201 -m tunnel -E 3des-cbc 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -A hmac-md5 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; add Y.Y.Y.Y X.X.X.X esp 0x301 -m tunnel -E 3des-cbc 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB -A hmac-md5 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB; # NOTE: currently using X.X.X.X instead of # 192.168.0.0 for the source IP due to the # NAT issue spdadd X.X.X.X/16 192.168.1.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; # NOTE: currently using Y.Y.Y.Y instead of # 192.168.1.0 for the source IP due to the # NAT issue spdadd Y.Y.Y.Y/16 192.168.0.0/24 any -P in ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; EOF ################################################# # VPN / NAT for subnet B: ################################################# ifconfig eth0 192.168.1.1 # internal IP for subnet B ifconfig eth1 Y.Y.Y.Y # public IP for subnet B echo 1 > /proc/sys/net/ipv4/ip_forward route add default gw <ISP assigned gateway IP> # setup NAT iptables -A POSTROUTING -o eth1 -j MASQUERADE # setup IPSEC tunnelling... setkey -c <<EOF flush; spdflush; add X.X.X.X Y.Y.Y.Y esp 0x201 -m tunnel -E 3des-cbc 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -A hmac-md5 0xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; add Y.Y.Y.Y X.X.X.X esp 0x301 -m tunnel -E 3des-cbc 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB -A hmac-md5 0xBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB; # NOTE: currently using Y.Y.Y.Y instead of # 192.168.1.0 for the source IP due to the # NAT issue spdadd Y.Y.Y.Y/16 192.168.0.0/24 any -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; # NOTE: currently using X.X.X.X instead of # 192.168.0.0 for the source IP due to the # NAT issue spdadd X.X.X.X/16 192.168.1.0/24 any -P in ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; EOF With this setup, I'm able to have a host on subnet A connect to a host on subnet B. However, the host on subnet B shows the source address of the client as the public IP (X.X.X.X) instead of the internal one. I believe this is because the packets are NAT-ed first, then IPSEC encapsulated. Is there a way to reverse this behavior? ie IPSEC encapsulation first, then NAT. Regards. Sjei. |