PREROUTING, DNAT and IPSEC

PREROUTING, DNAT and IPSEC

[danci]

Hi!

I have three networks which are connected via IPSEC. One of them is 
'primary' - that means it is used for all incoming stuff (mail, web, ...), 
the other are 'remote'.

I need to allow some clients to connect to specific hosts inside of those 
networks - two TCP connections in each network.

Since I'd like to keep things centralised and network performance is not a 
huge issue, I was going to do a PREROUTING DNAT for those connection, 
using unique listening ports and DNAT-ing them to three internal IPs - one 
of them is in the 'primary' network, the other two are on the 'remote' 
networks.

While this works fine for the IP in the 'primary' network, it doesn't work 
for the other two. I guess it has something to do with IPSEC, but I can't 
figure it out.

Any ideas?

  Danilo

PS: The 'primary' IPSEC server is SuSE 9.1 with 2.6.5 kernel and 
freeswan-2.04_1.5.4 installed - it has no ipsec0 interface. The other 
IPSEC machines have older distibtutions, kernel and freeswan (1.91_0.9.1 
in one case).

Re: PREROUTING, DNAT and IPSEC

[Taylor, Grant]

Danilo could we get an example network layout including IPs and subnets and information on what your IPSec structure looks like as well as a desired traffic setup?



Grant. . . .