ipsec nat and iptables

ipsec nat and iptables

[Info DataCenter1.com]

Hello

I'm trying to setup a network to network vpn using native ipsec support 
on Centos 4.1


Network A
eth0=  conected to internet
eth1= conected to private lan 192.168.1.1

Network B
eth0 conected to Internet
eth1= conected to private lan 192.168.2.1

 >From server A I'm able to ping 192.168.2.1 and viceversa but computers 
in the private lan can't see the other side

I'm using pre-shared keys also I set nat_transversal in racoon

Also I set my servers like iptables router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A FORWARD -i eth1 -o eth0
iptables -A FORWARD -i eth0 -o eth1

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ethY -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

ipsec nat and iptables

[Guillermo Calvo]

Hello

I'm trying to setup a network to network vpn using native ipsec support 
on Centos 4.1


Network A
eth0=  conected to internet
eth1= conected to private lan 192.168.1.1

Network B
eth0 conected to Internet
eth1= conected to private lan 192.168.2.1

From server A I'm able to ping 192.168.2.1 and viceversa but computers 
in the private lan can't see the other side

I'm using pre-shared keys also I set nat_transversal in racoon

Also I set my servers like iptables router
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP

iptables -A FORWARD -i eth1 -o eth0
iptables -A FORWARD -i eth0 -o eth1

iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -i ethY -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE


Thanks in advance

Guillermo Calvo

RE: ipsec nat and iptables

[Gary W. Smith]

Guillermo, 

There are a few things that need to be done when IPSEC in order to
traverse the tunnel.  First and foremost you need to NOT masquerade the
IPSEC packets.  Here's how what is accomplished.

Change:
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
To
iptables -t nat -A POSTROUTING -p ! esp -o eth1 -j MASQUERADE

IPSEC will go through iptables twice.  First for the IPSEC encoded
packets and finally the decoded packets.  You don't want to run the
decoded packets through the POSTROUTING NAT a second time.  So "-p !
esp" becomes your friend here.

Second, you now have private traffic coming in your firewall on the
external interface (because of this second parsing of the packets).  So
you need your rules to reflect that.  You might want to log everything
before you drop to see what might be getting caught that shouldn't be.

Also, you will need to turn on IP forwarding on the firewall (Which
might also be your problem).


Gary 


> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org [mailto:netfilter-
> bounces@lists.netfilter.org] On Behalf Of Guillermo Calvo
> Sent: Thursday, August 25, 2005 8:31 AM
> To: netfilter@lists.netfilter.org
> Subject: ipsec nat and iptables
> 
> 
> Hello
> 
> I'm trying to setup a network to network vpn using native ipsec
support
> on Centos 4.1
> 
> 
> Network A
> eth0=  conected to internet
> eth1= conected to private lan 192.168.1.1
> 
> Network B
> eth0 conected to Internet
> eth1= conected to private lan 192.168.2.1
> 
> >From server A I'm able to ping 192.168.2.1 and viceversa but
computers
> in the private lan can't see the other side
> 
> I'm using pre-shared keys also I set nat_transversal in racoon
> 
> Also I set my servers like iptables router
> iptables -A INPUT -m state --state INVALID -j DROP
> iptables -A FORWARD -m state --state INVALID -j DROP
> iptables -A OUTPUT -m state --state INVALID -j DROP
> 
> iptables -A FORWARD -i eth1 -o eth0
> iptables -A FORWARD -i eth0 -o eth1
> 
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> 
> iptables -A INPUT -i eth0 -j ACCEPT
> iptables -A INPUT -i ethY -m state --state ESTABLISHED,RELATED -j
ACCEPT
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> 
> Thanks in advance
> 
> Guillermo Calvo
> 

Re: ipsec nat and iptables

[/dev/rob0]

On Thursday 2005-August-25 10:27, Info DataCenter1.com wrote:
> Network A
> eth0=  conected to internet
> eth1= conected to private lan 192.168.1.1
>
> Network B
> eth0 conected to Internet
> eth1= conected to private lan 192.168.2.1
>
>  >From server A I'm able to ping 192.168.2.1 and viceversa but
>  > computers in the private lan can't see the other side
snip
> iptables -A FORWARD -i eth1 -o eth0
> iptables -A FORWARD -i eth0 -o eth1

These rules do nothing.

> iptables -P FORWARD DROP

And then your policy drops that traffic.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header