[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] =?utf-8?q?Routing_through_tunnel=2C_how=3F?=
From: Nick Howitt <n1ck.h0w1tt () gmail ! com>
Date: 2013-09-23 9:19:22
Message-ID: dfb8e912f0e90541b856370b0bc43130 () howitts ! poweredbyclear ! com
[Download RAW message or body]
Oops, yes I forgot the "-t nat" bit and I had my doubts that it would
work. I'm not sure I can give you a good set up. I do not see how
linking subnets 10.131.x.x and 10.172.x.x will ever allow you to get to
server IP 131.x.x.x.
On 2013-09-23 09:56, Morten Brix Pedersen wrote:
> I had to add "-t nat" to that command for it to work.
>
> It doesn't do the trick however.
>
> 2013/9/23 Nick Howitt <n1ck.h0w1tt@gmail.com>
>
> How about:
>
> iptables -I POSTROUTING -s 172.x.x.x/x -d 131.x.x.x -j SNAT --to-source 10.131.x.x
> You should be able to leave out the "-s 172.x.x.x/x" bit if you want.
>
> You will also need a route on your local gateway device to route all traffic to \
> 131.x.x.x via leftsourceip.
> This may not work because I don't know if the POSTROUTING chain will do anything to \
> packets destined for the VPN. No promises here.
> Nick
>
> On 2013-09-23 08:38, Morten Brix Pedersen wrote:
>
> Hi,
>
> I have the following setup:
>
> Side A (me):
> Local ip: 172.x.x.x
> Public ip: z.z.z.z
>
> Side B (them):
> Remote ip: y.y.y.y
>
> They have assigned me address 10.131.x.x which I must NAT all traffic through to \
> get to server ip 131.x.x.x. My server only has one network interface (eth0, with \
> address 172.x.x.x)
> So this is my configuration:
>
> conn vpn
> authby=secret
> forceencaps=yes
> auto=start
> left=%defaultroute
> leftid=z.z.z.z
> leftsourceip=z.z.z.z
> leftsubnet=10.131.x.x/32
> right=y.y.y.y
> rightid=y.y.y.y
> rightsubnet=10.172.x.x/32
> phase2alg=aes256-sha1
> pfs=no
>
> The VPN tunnel is established:
>
> 000 "vpn": 10.131.x.x/32===172.x.x.x[z.z.z.z]...y.y.y.y<y.y.y.y>===10.172.x.x/32; \
> erouted; eroute owner: #3 000 "vpn": myip=z.z.z.z; hisip=unset;
> 000 "vpn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: \
> 100%; keyingtries: 0 000 "vpn": policy: \
> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: \
> eth0; 000 "vpn": newest ISAKMP SA: #1; newest IPsec SA: #3;
> 000 "vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
> 000 "vpn": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
> 000 "vpn": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
> 000 "vpn": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>
> 000
> 000 #3: "vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); \
> EVENT_SA_REPLACE in 27560s; newest IPSEC; eroute owner; isakmp#1; idle; \
> import:admin initiate 000 #3: "vpn" esp.86884638 [4]@y.y.y.y \
> esp.a7324109@172.31.2.203 tun.0@y.y.y.y tun.0@172.31.x.x ref=0 refhim=4294901761 \
> 000 #1: "vpn":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in \
> 2076s; newest ISAKMP; lastdpd=4s(seq in:0 out:0); idle; import:admin initiate
> Now I must access server ip 131.x.x.x but NAT it through our assigned ip address \
> 1.131.x.x.
> How can I do that?
>
> Thanks.
>
> - Morten.
>
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
>
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users [1]
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy [2]
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155 [3]
Links:
------
[1] https://lists.openswan.org/mailman/listinfo/users
[2] https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
[3]
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[4] tel:86884638
[Attachment #3 (unknown)]
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
<html><body style='font-family: Arial,Helvetica,sans-serif'>
<p>Oops, yes I forgot the "-t nat" bit and I had my doubts that it would work. I'm \
not sure I can give you a good set up. I do not see how linking subnets 10.131.x.x \
and 10.172.x.x will ever allow you to get to server IP 131.x.x.x.</p> <p>On \
2013-09-23 09:56, Morten Brix Pedersen wrote:</p> <blockquote type="cite" \
style="padding-left:5px; border-left:#1010ff 2px solid; margin-left:5px"><!-- html \
ignored --><!-- head ignored --><!-- meta ignored --> <div dir="ltr">I had to add "-t \
nat" to that command for it to work. <div> </div>
<div>It doesn't do the trick however.</div>
</div>
<div class="gmail_extra"><br /><br />
<div class="gmail_quote">2013/9/23 Nick Howitt <span><<a \
href="mailto:n1ck.h0w1tt@gmail.com">n1ck.h0w1tt@gmail.com</a>></span><br /> \
<blockquote class="gmail_quote" style="margin: 0 0 0 .8ex; border-left: 1px #ccc \
solid; padding-left: 1ex;"><span style="text-decoration: underline;"></span> <div \
style="font-family: Arial,Helvetica,sans-serif;"> <p>How about:</p>
<p>iptables -I POSTROUTING -s 172.x.x.x/x -d 131.x.x.x -j \
SNAT<strong> </strong>--to-source 10.131.x.x<br />You should be able to leave \
out the "-s 172.x.x.x/x" bit if you want.</p> <p>You will also need a route on your \
local gateway device to route all traffic to 131.x.x.x via leftsourceip.</p> <p>This \
may not work because I don't know if the POSTROUTING chain will do anything to \
packets destined for the VPN. No promises here.</p> <p>Nick</p>
<div>
<div class="h5">
<p>On 2013-09-23 08:38, Morten Brix Pedersen wrote:</p>
</div>
</div>
<blockquote style="padding-left: 5px; border-left: #1010ff 2px solid; margin-left: \
5px;"> <div>
<div class="h5">
<div dir="ltr">Hi,
<div> </div>
<div>I have the following setup:</div>
<div> </div>
<div>Side A (me):</div>
<div>Local ip: 172.x.x.x</div>
<div>Public ip: z.z.z.z</div>
<div> </div>
<div>Side B (them):</div>
<div>Remote ip: y.y.y.y</div>
<div> </div>
<div>They have assigned me address 10.131.x.x which I must NAT all traffic through to \
get to server ip 131.x.x.x. My server only has one network interface (eth0, with \
address 172.x.x.x)</div> <div> </div>
<div>So this is my configuration:</div>
<div> </div>
<div>
<div>conn vpn</div>
<div> authby=secret</div>
<div> forceencaps=yes</div>
<div> auto=start</div>
<div> left=%defaultroute</div>
<div> leftid=z.z.z.z</div>
<div> leftsourceip=z.z.z.z</div>
<div> leftsubnet=10.131.x.x/32</div>
<div> right=y.y.y.y</div>
<div> rightid=y.y.y.y</div>
<div> rightsubnet=10.172.x.x/32</div>
<div> phase2alg=aes256-sha1</div>
<div> pfs=no</div>
</div>
<div> </div>
<div>The VPN tunnel is established:</div>
<div> </div>
<div>
<div>000 "vpn": 10.131.x.x/32===172.x.x.x[z.z.z.z]...y.y.y.y<y.y.y.y>===10.172.x.x/32; \
erouted; eroute owner: #3</div> <div>000 "vpn": myip=z.z.z.z; \
hisip=unset;</div> <div>000 "vpn": ike_life: 3600s; ipsec_life: 28800s; \
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</div> <div>000 "vpn": \
policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; \
interface: eth0;</div> <div>000 "vpn": newest ISAKMP SA: #1; newest IPsec SA: \
#3;</div> <div>000 "vpn": IKE algorithm newest: \
3DES_CBC_192-SHA1-MODP1024</div> <div>000 "vpn": ESP algorithms wanted: \
AES(12)_256-SHA1(2)_000; flags=-strict</div> <div>000 "vpn": ESP algorithms \
loaded: AES(12)_256-SHA1(2)_160</div> <div>000 "vpn": ESP algorithm newest: \
AES_256-HMAC_SHA1; pfsgroup=<N/A></div> <div>000</div>
<div>000 #3: "vpn":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); \
EVENT_SA_REPLACE in 27560s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin \
initiate</div> <div>000 #3: "vpn" esp.<a href="tel:86884638">86884638</a>@y.y.y.y <a \
href="mailto:esp.a7324109@172.31.2.203">esp.a7324109@172.31.2.203</a> tun.0@y.y.y.y \
tun.0@172.31.x.x ref=0 refhim=4294901761</div> <div>000 #1: "vpn":4500 STATE_MAIN_I4 \
(ISAKMP SA established); EVENT_SA_REPLACE in 2076s; newest ISAKMP; lastdpd=4s(seq \
in:0 out:0); idle; import:admin initiate</div> </div>
<div> </div>
<div> </div>
<div>Now I must access server ip 131.x.x.x but NAT it through our assigned ip address \
1.131.x.x.</div> <div> </div>
<div>How can I do that?</div>
<div> </div>
<div>Thanks.</div>
<div> </div>
<div> - Morten.</div>
</div>
</div>
</div>
<pre>_______________________________________________
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a>
<a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a>
Building and Integrating Virtual Private Networks with Openswan:
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a>
</pre>
</blockquote>
</div>
<br />_______________________________________________<br /><a \
href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br /><a \
href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a><br \
/> Micropayments: <a \
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br \
/> Building and Integrating Virtual Private Networks with Openswan:<br /><a \
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br \
/><br /></blockquote> </div>
</div>
</blockquote>
</body></html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic