IPsec forwarding problem

[Patrick Selder <pselder@xs4all.nl>]

[-- Attachment #1: Type: text/plain, Size: 1818 bytes --]

I have a special situation with forwarding ipsec packets to an internal
networkcard.

Let me explain the situation.
The firewall has three networkcards.
eth0 = internal lan (192.168.x.x)
eth1 = external internet (213.x.x.x)
eth2 = internal lan tbv special ipsec box (10.x.x.x external and
192.168.x.x internal)

               /---- eth0 --------------------\
--- eth1 -----/                                \----- 192.168.x.x
              \                                /
               \---- eth2 ----- ipsec box ----/

The black box provided by an external supplier is setup to build a vpn
with them. I cannot change the config. The box is preconfigured. The
subnet that has to be routed to the external supplier is 172.16.2.x

The firewall had a route that this subnet is routed to the ip on the
internal eth0 interface ip.

The irony is that I had this working but wanted to tighten the security
and didn't save the working rule set.

I want that packets that arrive on eth1 from the external supplier to be
forwarded to the eth2 interface. This works already for udp port 500. I
get the following to verify this: "isakmp: phase 2/others R
oakley-quick[E]: [encrypted hash] (DF)"
IPsec packets that come from eth2 are routed to the external eth1
interface. Only they have the 10.x.x.x ip as their source ip and I want
it to be the external ip or else the routing goes wrong.

The firewall itself also runs IPsec for a VPN. So filtering from which
ip that IPsec packets are comming and have to be forwarded is a must.

I tried several pass-through examples from various sites, but these
don't seems to work.

It comes down to:
- Forward IPsec packets to eth2
- Route packets from eth2 out to eth1 with correct source ip.

Hope someone got an answer...

Patrick
-- 

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]