Menu
▾
▴
Re: [Ipsec-tools-users] roadwarrior behind NAT connecting racoon onrouter doing nat
|
From: Götz Babin-E. <g.b...@no...> - 2012-01-29 15:41:01
|
Am 18.01.2012 22:41, wrote Troy L. Yochelson: > Goetz: sorry for the delay... > > Looking at the diagram of your config, I see the following: > > RW Physical NIC IP (private): 10.10.10.128 > RW Router IP (private): 10.10.10.1 > RW Router IP (public): 1.2.3.4 > VPN Server IP (public): 1.2.3.5 > VPN Server IP (private): 192.168.1.1 > Local Host IP (private): 192.168.1.2 > > What I don't see is the VPN Tunnel IP address that racoon hands out when RW > initiates a connection inbound. > > How do your RW systems get an IP address from racoon? Is that mandatory ? Both ends use racoon 0.8.0, so there is no special tunnel device to assign an IP address to... Making an VPN tunnel address range mandatory just adds another thing that can break. Imagine choosing the 10.10.10.0/24 address range as tunnel address range... > Without seeing your racoon.conf, it looks to me like you may be dealing with > a routing issue (e.g. there's no route back to your roadwarrior clients in > iptables)...and in order to route back to your RW clients, you're going to > need to specify an address block in racoon.conf/mode_cfg to hand out to your > RW clients via racoon so that iptables can establish a route. It is not directly an routing issue, since iptables does not do routing. But issue is that iptables does not know that is must not do NAT for the RW private IP address. And that leads back to my initial complain: Why doesn't racoon tell anybody that it has there is a IP address that the system must send packets to via the IPSec tunnel? (and don't do NAT) Or if it can't, why does it not give the up script the chance to do that ? Goetz |